From 6173545dcd0d34dcadf1393c4e10b329f4b0db38 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 5 Nov 2020 13:15:13 -0800 Subject: [PATCH 1/8] Added ADMX_ControlPanel policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 4 + .../policy-configuration-service-provider.md | 19 +- .../mdm/policy-csp-admx-controlpanel.md | 362 ++++++++++++++++++ 4 files changed, 385 insertions(+), 1 deletion(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-controlpanel.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 8ff993ef33..9bb975d40f 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -177,6 +177,7 @@ #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) +#### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index a26052c419..1e7cd9e0e9 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -42,6 +42,10 @@ ms.date: 10/08/2020 - [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) - [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) +- [ADMX_ControlPanel/DisallowCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls) +- [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel) +- [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel) +- [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 475eff78fd..b89a460193 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -245,6 +245,24 @@ The following diagram shows the Policy configuration service provider in tree fo + +### ADMX_ControlPanel policies + +
+
+ ADMX_ControlPanel/DisallowCpls +
+
+ ADMX_ControlPanel/ForceClassicControlPanel +
+
+ ADMX_ControlPanel/NoControlPanel +
+
+ ADMX_ControlPanel/RestrictCpls +
+
+ ### ADMX_Cpls policies
@@ -262,7 +280,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- ### ADMX_CtrlAltDel policies
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md new file mode 100644 index 0000000000..8ae99cefe3 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -0,0 +1,362 @@ +--- +title: Policy CSP - ADMX_ControlPanel +description: Policy CSP - ADMX_ControlPanel +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/05/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ControlPanel +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_ControlPanel policies + +
+
+ ADMX_ControlPanel/DisallowCpls +
+
+ ADMX_ControlPanel/ForceClassicControlPanel +
+
+ ADMX_ControlPanel/NoControlPanel +
+
+ ADMX_ControlPanel/RestrictCpls +
+
+ + +
+ + +**ADMX_ControlPanel/DisallowCpls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + +If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. + +To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide specified Control Panel items* +- GP name: *DisallowCpls* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
+ + +**ADMX_ControlPanel/ForceClassicControlPanel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons. + +If this policy setting is enabled, the Control Panel opens to the icon view. + +If this policy setting is disabled, the Control Panel opens to the category view. + +If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. + +> [!NOTE] +> Icon size is dependent upon what the user has set it to in the previous session. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always open All Control Panel Items when opening Control Panel* +- GP name: *ForceClassicControlPanel* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
+ + +**ADMX_ControlPanel/NoControlPanel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app. + +This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items. + +This setting removes Control Panel from: + +- The Start screen +- File Explorer + +This setting removes PC settings from: + +- The Start screen +- Settings charm +- Account picture +- Search results + +If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to Control Panel and PC settings* +- GP name: *NoControlPanel* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
+ + +**ADMX_ControlPanel/RestrictCpls** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + +To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. + +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". + +If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. + +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. +> +> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show only specified Control Panel items* +- GP name: *RestrictCpls* +- GP path: *Control Panel* +- GP ADMX file name: *ControlPanel.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From 3d0264c4c5678927c8690d44141efaf9bfb699f4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 5 Nov 2020 15:26:41 -0800 Subject: [PATCH 2/8] Added ADMX_ControlPanelDisplay policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 24 + .../policy-configuration-service-provider.md | 77 + .../policy-csp-admx-controlpaneldisplay.md | 1825 +++++++++++++++++ 4 files changed, 1927 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 9bb975d40f..6fa7869867 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -178,6 +178,7 @@ #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) #### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) +#### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 1e7cd9e0e9..e375180809 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -46,6 +46,30 @@ ms.date: 10/08/2020 - [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel) - [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel) - [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls) +- [ADMX_ControlPanelDisplay/CPL_Display_Disable](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable) +- [ADMX_ControlPanelDisplay/CPL_Display_HideSettings](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange) +- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle) +- [ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui) +- [ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure) +- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme) +- [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle) +- [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index b89a460193..ce9320d5bb 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -263,6 +263,83 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_ControlPanelDisplay policies + +
+
+ ADMX_ControlPanelDisplay/CPL_Display_Disable +
+
+ ADMX_ControlPanelDisplay/CPL_Display_HideSettings +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +
+
+ ### ADMX_Cpls policies
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md new file mode 100644 index 0000000000..48dc02d6db --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -0,0 +1,1825 @@ +--- +title: Policy CSP - ADMX_ControlPanelDisplay +description: Policy CSP - ADMX_ControlPanelDisplay +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/05/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ControlPanelDisplay +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_ControlPanelDisplay policies + +
+
+ ADMX_ControlPanelDisplay/CPL_Display_Disable +
+
+ ADMX_ControlPanelDisplay/CPL_Display_HideSettings +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +
+
+ ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +
+
+ + +
+ + +**ADMX_ControlPanelDisplay/CPL_Display_Disable** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel. + +If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. + +Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable the Display Control Panel* +- GP name: *CPL_Display_Disable* +- GP path: *Control Panel\Display* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Display_HideSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Settings tab* +- GP name: *CPL_Display_HideSettings* +- GP path: *Control Panel\Display* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme. + +If you enable this setting, a user cannot change the color scheme of the current desktop theme. + +If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. + +For Windows 7 and later, use the "Prevent changing color and appearance" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing color scheme* +- GP name: *CPL_Personalization_DisableColorSchemeChoice* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel. + +If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). + +If you disable or do not configure this setting, there is no effect. + +> [!NOTE] +> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing theme* +- GP name: *CPL_Personalization_DisableThemeChange* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. + +When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. + +When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing visual style for windows and buttons* +- GP name: *CPL_Personalization_DisableVisualStyle* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers. + +If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. + +If you do not configure it, this setting has no effect on the system. + +If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. + +Also, see the "Prevent changing Screen Saver" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable screen saver* +- GP name: *CPL_Personalization_EnableScreenSaver* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. + +This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). + +To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`. + +This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. + +Note: This setting only applies to Enterprise, Education, and Server SKUs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific default lock screen and logon image* +- GP name: *CPL_Personalization_ForceDefaultLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. + +If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. + +If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit selection of visual style font size* +- GP name: *CPL_Personalization_LockFontSize* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen. + +By default, users can change the background image shown when the machine is locked or displaying the logon screen. + +If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing lock screen and logon image* +- GP name: *CPL_Personalization_NoChangingLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent. + +By default, users can change the look of their start menu background, such as its color or accent. + +If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. + +If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. + +If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing start menu background* +- GP name: *CPL_Personalization_NoChangingStartMenuBackground* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. + +This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. + +If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. + +For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing color and appearance* +- GP name: *CPL_Personalization_NoColorAppearanceUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop. + +By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. + +If you enable this setting, none of the Desktop Background settings can be changed by the user. + +To specify wallpaper for a group, use the "Desktop Wallpaper" setting. + +Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. + +Also, see the "Allow only bitmapped wallpaper" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing desktop background* +- GP name: *CPL_Personalization_NoDesktopBackgroundUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons. + +By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. + +If you enable this setting, none of the desktop icons can be changed by the user. + +For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing desktop icons* +- GP name: *CPL_Personalization_NoDesktopIconsUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users. + +If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. + +If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display the lock screen* +- GP name: *CPL_Personalization_NoLockScreen* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the mouse pointers. + +By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. + +If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing mouse pointers* +- GP name: *CPL_Personalization_NoMousePointersUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing screen saver* +- GP name: *CPL_Personalization_NoScreenSaverUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme. + +By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. + +If you enable this setting, none of the Sound Scheme settings can be changed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changing sounds* +- GP name: *CPL_Personalization_NoSoundSchemeUI* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. + +By default, users can change the background and accent colors. + +If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific background and accent color* +- GP name: *CPL_Personalization_PersonalColors* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected. + +If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. + +This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. + +If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. + +To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting. + +> [!NOTE] +> To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Password protect the screen saver* +- GP name: *CPL_Personalization_ScreenSaverIsSecure* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched. + +When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. + +This setting has no effect under any of the following circumstances: + +- The setting is disabled or not configured. + +- The wait time is set to zero. + +- The "Enable Screen Saver" setting is disabled. + +- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client. + +When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Screen saver timeout* +- GP name: *CPL_Personalization_ScreenSaverTimeOut* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop. + +If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. + +If you disable this setting or do not configure it, users can select any screen saver. + +If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. + +If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored. + +> [!NOTE] +> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force specific screen saver* +- GP name: *CPL_Personalization_SetScreenSaver* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on. + +If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. + +If you disable or do not configure this setting, the default theme will be applied at the first logon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Load a specific theme* +- GP name: *CPL_Personalization_SetTheme* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. + +This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). + +If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. + +If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). + +> [!NOTE] +> If this setting is enabled and the file is not available at user logon, the default visual style is loaded. +> +> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles. +> +> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific visual style file or force Windows Classic* +- GP name: *CPL_Personalization_SetVisualStyle* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ + +**ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. + +If this setting is set to zero or not configured, then Start uses the default background, and users can change it. + +If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force a specific Start background* +- GP name: *CPL_Personalization_StartBackground* +- GP path: *Control Panel\Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From fbc71af39349926c3d17d714dd0111e8ce728dc1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 9 Nov 2020 16:28:34 -0800 Subject: [PATCH 3/8] Added winlogon and activexinstallservice policies --- windows/client-management/mdm/TOC.md | 2 + .../mdm/policies-in-policy-csp-admx-backed.md | 9 +- .../policy-configuration-service-provider.md | 31 ++ .../policy-csp-admx-activexinstallservice.md | 119 +++++ .../mdm/policy-csp-admx-winlogon.md | 493 ++++++++++++++++++ 5 files changed, 653 insertions(+), 1 deletion(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-activexinstallservice.md create mode 100644 windows/client-management/mdm/policy-csp-admx-winlogon.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index f2de6e5ef5..c5af7336e3 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -172,6 +172,7 @@ #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) +#### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) @@ -233,6 +234,7 @@ #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) #### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) #### [ADMX_WinInit](policy-csp-admx-wininit.md) +#### [ADMX_WinLogon](policy-csp-admx-winlogon.md) #### [ADMX_wlansvc](policy-csp-admx-wlansvc.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 1ce31e59ba..4215e9c6ec 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -21,7 +21,8 @@ ms.date: 10/08/2020 > - [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) +- [ADMX_ActiveXInstallService/AxISURLZonePolicies](./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies) +- [ADMX_AddRemovePrograms/DefaultCategory](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) - [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy) - [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet) - [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork) @@ -819,6 +820,12 @@ ms.date: 10/08/2020 - [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) - [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) - [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) +- [ADMX_WinLogon/CustomShell](./policy-csp-admx-winlogon.md#admx-winlogon-customshell) +- [ADMX_WinLogon/DisplayLastLogonInfoDescription](./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription) +- [ADMX_WinLogon/LogonHoursNotificationPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription) +- [ADMX_WinLogon/LogonHoursPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription) +- [ADMX_WinLogon/ReportCachedLogonPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription) +- [ADMX_WinLogon/SoftwareSASGeneration](./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration) - [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) - [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) - [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 70d9a769a7..bd0661bf3e 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -168,6 +168,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_ActiveXInstallService policies + +
+
+ ADMX_ActiveXInstallService/AxISURLZonePolicies +
+
+ ### ADMX_AddRemovePrograms policies
@@ -2852,6 +2860,29 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WinLogon policies + +
+
+ ADMX_WinLogon/CustomShell +
+
+ ADMX_WinLogon/DisplayLastLogonInfoDescription +
+
+ ADMX_WinLogon/LogonHoursNotificationPolicyDescription +
+
+ ADMX_WinLogon/LogonHoursPolicyDescription +
+
+ ADMX_WinLogon/ReportCachedLogonPolicyDescription +
+
+ ADMX_WinLogon/SoftwareSASGeneration +
+
+ ### ADMX_wlansvc policies
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md new file mode 100644 index 0000000000..38d15714d4 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -0,0 +1,119 @@ +--- +title: Policy CSP - ADMX_ActiveXInstallService +description: Policy CSP - ADMX_ActiveXInstallService +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ActiveXInstallService +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_ActiveXInstallService policies + +
+
+ ADMX_ActiveXInstallService/AxISURLZonePolicies +
+
+ + +
+ + +**ADMX_ActiveXInstallService/AxISURLZonePolicies** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone. + +If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. + +If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. + +If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore. + +> [!NOTE] +> This policy setting applies to all sites in Trusted zones. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Establish ActiveX installation policy for sites in Trusted zones* +- GP name: *AxISURLZonePolicies* +- GP path: *Windows Components\ActiveX Installer Service* +- GP ADMX file name: *ActiveXInstallService.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md new file mode 100644 index 0000000000..26187fd26d --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -0,0 +1,493 @@ +--- +title: Policy CSP - ADMX_WinLogon +description: Policy CSP - ADMX_WinLogon +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WinLogon +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WinLogon policies + +
+
+ ADMX_WinLogon/CustomShell +
+
+ ADMX_WinLogon/DisplayLastLogonInfoDescription +
+
+ ADMX_WinLogon/LogonHoursNotificationPolicyDescription +
+
+ ADMX_WinLogon/LogonHoursPolicyDescription +
+
+ ADMX_WinLogon/ReportCachedLogonPolicyDescription +
+
+ ADMX_WinLogon/SoftwareSASGeneration +
+
+ + +
+ + +**ADMX_WinLogon/CustomShell** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. + +If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. + +If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface. + +> [!TIP] +> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Custom User Interface* +- GP name: *CustomShell* +- GP path: *System* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + +**ADMX_WinLogon/DisplayLastLogonInfoDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. + +For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. + +For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level. + +If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display information about previous logons during user logon* +- GP name: *DisplayLastLogonInfoDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + + +**ADMX_WinLogon/LogonHoursNotificationPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. + +If you enable this setting, warnings are not displayed to the user before the logon hours expire. + +If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove logon hours expiration warnings* +- GP name: *LogonHoursNotificationPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + +**ADMX_WinLogon/LogonHoursPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. + +If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. + +If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the user’s logon hours expire. + +If you disable or do not configure this setting, the system takes no action when the user’s logon hours expire. The user can continue the existing session, but cannot log on to a new session. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set action to take when logon hours expire* +- GP name: *LogonHoursPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + +**ADMX_WinLogon/ReportCachedLogonPolicyDescription** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. + +If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials. + +If disabled or not configured, no popup will be displayed to the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Report when logon server was not available during user logon* +- GP name: *ReportCachedLogonPolicyDescription* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ + +**ADMX_WinLogon/SoftwareSASGeneration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). + +If you enable this policy setting, you have one of four options: + +- If you set this policy setting to "None," user mode software cannot simulate the SAS. +- If you set this policy setting to "Services," services can simulate the SAS. +- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. +- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. + +If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable or enable software Secure Attention Sequence* +- GP name: *SoftwareSASGeneration* +- GP path: *Windows Components\Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From cfa3a8f9972cb33abc1b2c0ec05a7c0520f681b1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 10 Nov 2020 12:13:12 -0800 Subject: [PATCH 4/8] Added AppXRuntime and AppXPAckageManager policies --- windows/client-management/mdm/TOC.md | 2 + .../mdm/policies-in-policy-csp-admx-backed.md | 5 + .../policy-configuration-service-provider.md | 25 ++ .../mdm/policy-csp-admx-appxpackagemanager.md | 120 +++++++ .../mdm/policy-csp-admx-appxruntime.md | 338 ++++++++++++++++++ 5 files changed, 490 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md create mode 100644 windows/client-management/mdm/policy-csp-admx-appxruntime.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index c5af7336e3..60a0b0fc6f 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -175,6 +175,8 @@ #### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) +#### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) +#### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) #### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 4215e9c6ec..87d8c00b35 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -42,6 +42,11 @@ ms.date: 10/08/2020 - [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2) - [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) - [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) +- [ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles](./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles) +- [ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules) +- [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation) +- [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt) +- [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) - [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) - [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bd0661bf3e..515a332e40 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -245,6 +245,31 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_AppxPackageManager policies + +
+
+ ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +
+
+ +### ADMX_AppXRuntime policies + +
+
+ ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +
+
+ ### ADMX_AuditSettings policies
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md new file mode 100644 index 0000000000..44f5d6b6f7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -0,0 +1,120 @@ +--- +title: Policy CSP - ADMX_AppxPackageManager +description: Policy CSP - ADMX_AppxPackageManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppxPackageManager +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_AppxPackageManager policies + +
+
+ ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +
+
+ + +
+ + +**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. + +Special profiles are the following user profiles, where changes are discarded after the user signs off: + +- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies +- Mandatory user profiles and super-mandatory profiles, which are created by an administrator +- Temporary user profiles, which are created when an error prevents the correct profile from loading +- User profiles for the Guest account and members of the Guests group + +If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. + +If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow deployment operations in special profiles* +- GP name: *AllowDeploymentInSpecialProfiles* +- GP path: *Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md new file mode 100644 index 0000000000..8dcf16d88f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -0,0 +1,338 @@ +--- +title: Policy CSP - ADMX_AppXRuntime +description: Policy CSP - ADMX_AppXRuntime +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppXRuntime +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_AppXRuntime policies + +
+
+ ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +
+
+ ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +
+
+ + +
+ + +**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. + +If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. + +If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on dynamic Content URI Rules for Windows store apps* +- GP name: *AppxRuntimeApplicationContentUriRules* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
+ + +**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. + +If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. + +If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching desktop apps associated with a file.* +- GP name: *AppxRuntimeBlockFileElevation* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
+ + +**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. + +If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. + +If you disable or do not configure this policy setting, all Universal Windows apps can be launched. + +> [!WARNING] +> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching Universal Windows apps with Windows Runtime API access from hosted content.* +- GP name: *AppxRuntimeBlockHostedAppAccessWinRT* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
+ + +**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. + +If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. + +If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. + +> [!NOTE] +> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Block launching desktop apps associated with a URI scheme* +- GP name: *AppxRuntimeBlockProtocolElevation* +- GP path: *Windows Components\App runtime* +- GP ADMX file name: *AppXRuntime.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From ed82ef3409f4fc9c9608fdaac7c4bdd10b004b85 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 10 Nov 2020 13:44:29 -0800 Subject: [PATCH 5/8] Added AttachementManager policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 5 + .../policy-configuration-service-provider.md | 20 + .../mdm/policy-csp-admx-attachmentmanager.md | 422 ++++++++++++++++++ 4 files changed, 448 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-attachmentmanager.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 60a0b0fc6f..4ae9979e4c 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -177,6 +177,7 @@ #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) #### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) #### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) +#### [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) #### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 87d8c00b35..f8ae27ab30 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -47,6 +47,11 @@ ms.date: 10/08/2020 - [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation) - [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt) - [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation) +- [ADMX_AttachmentManager/AM_EstimateFileHandlerRisk](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk) +- [ADMX_AttachmentManager/AM_SetFileRiskLevel](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel) +- [ADMX_AttachmentManager/AM_SetHighRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion) +- [ADMX_AttachmentManager/AM_SetLowRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion) +- [ADMX_AttachmentManager/AM_SetModRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) - [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) - [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 515a332e40..3fac6f18b7 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -270,6 +270,26 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_AttachmentManager policies + +
+
+ ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +
+
+ ADMX_AttachmentManager/AM_SetFileRiskLevel +
+
+ ADMX_AttachmentManager/AM_SetHighRiskInclusion +
+
+ ADMX_AttachmentManager/AM_SetLowRiskInclusion +
+
+ ADMX_AttachmentManager/AM_SetModRiskInclusion +
+
+ ### ADMX_AuditSettings policies
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md new file mode 100644 index 0000000000..e43001ae9c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -0,0 +1,422 @@ +--- +title: Policy CSP - ADMX_AttachmentManager +description: Policy CSP - ADMX_AttachmentManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AttachmentManager +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_AttachmentManager policies + +
+
+ ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +
+
+ ADMX_AttachmentManager/AM_SetFileRiskLevel +
+
+ ADMX_AttachmentManager/AM_SetHighRiskInclusion +
+
+ ADMX_AttachmentManager/AM_SetLowRiskInclusion +
+
+ ADMX_AttachmentManager/AM_SetModRiskInclusion +
+
+ + +
+ + +**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. + +Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. + +Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. + +If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. + +If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + +If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Trust logic for file attachments* +- GP name: *AM_EstimateFileHandlerRisk* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ + +**ADMX_AttachmentManager/AM_SetFileRiskLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. + +High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. + +Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. + +Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. + +If you enable this policy setting, you can specify the default risk level for file types. + +If you disable this policy setting, Windows sets the default risk level to moderate. + +If you do not configure this policy setting, Windows sets the default risk level to moderate. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default risk level for file attachments* +- GP name: *AM_SetFileRiskLevel* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ + +**ADMX_AttachmentManager/AM_SetHighRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can create a custom list of high-risk file types. + +If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. + +If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for high risk file types* +- GP name: *AM_SetHighRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ + +**ADMX_AttachmentManager/AM_SetLowRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can specify file types that pose a low risk. + +If you disable this policy setting, Windows uses its default trust logic. + +If you do not configure this policy setting, Windows uses its default trust logic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for low file types* +- GP name: *AM_SetLowRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ + +**ADMX_AttachmentManager/AM_SetModRiskInclusion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). + +If you enable this policy setting, you can specify file types which pose a moderate risk. + +If you disable this policy setting, Windows uses its default trust logic. + +If you do not configure this policy setting, Windows uses its default trust logic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Inclusion list for moderate risk file types* +- GP name: *AM_SetModRiskInclusion* +- GP path: *Windows Components\Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From 488913f75e7cf65ba68596ab3ce94631f70dfbcb Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 11 Nov 2020 15:47:15 -0800 Subject: [PATCH 6/8] Added new policies --- windows/client-management/mdm/TOC.md | 3 + .../mdm/policies-in-policy-csp-admx-backed.md | 32 + .../policy-configuration-service-provider.md | 111 + .../policy-csp-admx-credentialproviders.md | 412 ++++ .../mdm/policy-csp-admx-credui.md | 185 ++ .../mdm/policy-csp-admx-userprofiles.md | 1997 +++++++++++++++++ 6 files changed, 2740 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-credentialproviders.md create mode 100644 windows/client-management/mdm/policy-csp-admx-credui.md create mode 100644 windows/client-management/mdm/policy-csp-admx-userprofiles.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 4ae9979e4c..19328d6086 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -185,6 +185,8 @@ #### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) #### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) +#### [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md) +#### [ADMX_CredUI](policy-csp-admx-credui.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) #### [ADMX_DnsClient](policy-csp-admx-dnsclient.md) @@ -227,6 +229,7 @@ #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) #### [ADMX_TPM](policy-csp-admx-tpm.md) #### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) +#### [ADMX_UserProfiles](policy-csp-admx-userprofiles.md) #### [ADMX_W32Time](policy-csp-admx-w32time.md) #### [ADMX_WCM](policy-csp-admx-wcm.md) #### [ADMX_WinCal](policy-csp-admx-wincal.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index f8ae27ab30..d9c44122bd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -100,6 +100,13 @@ ms.date: 10/08/2020 - [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle) - [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) +- [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock) +- [ADMX_CredentialProviders/AllowSecurityKeySignIn](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowsecuritykeysignin) +- [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider) +- [ADMX_CredentialProviders/DefaultLogonDomain](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultlogondomain) +- [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders) +- [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting) +- [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) - [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr) @@ -716,6 +723,31 @@ ms.date: 10/08/2020 - [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video) - [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather) - [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad) +- [ADMX_UserProfiles/AddAdminGroupToRUP](./policy-csp-admx-userprofiles.md#admx-userprofiles-addadmingrouptorup) +- [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles) +- [ADMX_UserProfiles/CompatibleRUPSecurity](./policy-csp-admx-userprofiles.md#admx-userprofiles-compatiblerupsecurity) +- [ADMX_UserProfiles/Connect_HomeDir_ToRoot](./policy-csp-admx-userprofiles.md#admx-userprofiles-connect-homedir-toroot) +- [ADMX_UserProfiles/CscSuspendDirectories](./policy-csp-admx-userprofiles.md#admx-userprofiles-cscsuspenddirectories) +- [ADMX_UserProfiles/DeleteRoamingCachedProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-deleteroamingcachedprofiles) +- [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive) +- [ADMX_UserProfiles/EnableSlowLinkDetect](./policy-csp-admx-userprofiles.md#admx-userprofiles-enableslowlinkdetect) +- [ADMX_UserProfiles/EnableSlowLinkUI](./policy-csp-admx-userprofiles.md#admx-userprofiles-enableslowlinkui) +- [ADMX_UserProfiles/ExcludeDirectories](./policy-csp-admx-userprofiles.md#admx-userprofiles-excludedirectories) +- [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata) +- [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize) +- [ADMX_UserProfiles/LocalProfile](./policy-csp-admx-userprofiles.md#admx-userprofiles-localprofile) +- [ADMX_UserProfiles/MachineProfilePath](./policy-csp-admx-userprofiles.md#admx-userprofiles-machineprofilepath) +- [ADMX_UserProfiles/PrimaryComputer_RUP](./policy-csp-admx-userprofiles.md#admx-userprofiles-primarycomputer-rup) +- [ADMX_UserProfiles/ProfileDlgTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-profiledlgtimeout) +- [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction) +- [ADMX_UserProfiles/ProfileUnloadTimeout](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileunloadtimeout) +- [ADMX_UserProfiles/Readonlyuserprofile](./policy-csp-admx-userprofiles.md#admx-userprofiles-readonlyuserprofile) +- [ADMX_UserProfiles/SlowLinkDefault](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinkdefault) +- [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout) +- [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home) +- [ADMX_UserProfiles/UploadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-uploadhive) +- [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction) +- [ADMX_UserProfiles/WaitForNetwork](./policy-csp-admx-userprofiles.md#admx-userprofiles-waitfornetwork) - [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config) - [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 3fac6f18b7..c4ea4193bf 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -479,6 +479,37 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_CredentialProviders policies + +
+
+ ADMX_CredentialProviders/AllowDomainDelayLock +
+
+ ADMX_CredentialProviders/AllowSecurityKeySignIn +
+
+ ADMX_CredentialProviders/DefaultCredentialProvider +
+
+ ADMX_CredentialProviders/DefaultLogonDomain +
+
+ ADMX_CredentialProviders/ExcludedCredentialProviders +
+
+ +### ADMX_CredUI policies + +
+
+ ADMX_CredUI/EnableSecureCredentialPrompting +
+
+ ADMX_CredUI/NoLocalPasswordResetQuestions +
+
+ ### ADMX_CtrlAltDel policies
@@ -2512,6 +2543,86 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_UserProfiles policies + +
+
+ ADMX_UserProfiles/AddAdminGroupToRUP +
+
+ ADMX_UserProfiles/CleanupProfiles +
+
+ ADMX_UserProfiles/CompatibleRUPSecurity +
+
+ ADMX_UserProfiles/Connect_HomeDir_ToRoot +
+
+ ADMX_UserProfiles/CscSuspendDirectories +
+
+ ADMX_UserProfiles/DeleteRoamingCachedProfiles +
+
+ ADMX_UserProfiles/DontForceUnloadHive +
+
+ ADMX_UserProfiles/EnableSlowLinkDetect +
+
+ ADMX_UserProfiles/EnableSlowLinkUI +
+
+ ADMX_UserProfiles/ExcludeDirectories +
+
+ ADMX_UserProfiles/LeaveAppMgmtData +
+
+ ADMX_UserProfiles/LimitSize +
+
+ ADMX_UserProfiles/LocalProfile +
+
+ ADMX_UserProfiles/MachineProfilePath +
+
+ ADMX_UserProfiles/PrimaryComputer_RUP +
+
+ ADMX_UserProfiles/ProfileDlgTimeOut +
+
+ ADMX_UserProfiles/ProfileErrorAction +
+
+ ADMX_UserProfiles/ProfileUnloadTimeout +
+
+ ADMX_UserProfiles/Readonlyuserprofile +
+
+ ADMX_UserProfiles/SlowLinkDefault +
+
+ ADMX_UserProfiles/SlowLinkTimeOut +
+
+ ADMX_UserProfiles/USER_HOME +
+
+ ADMX_UserProfiles/UploadHive +
+
+ ADMX_UserProfiles/UserInfoAccessAction +
+
+ ADMX_UserProfiles/WaitForNetwork +
+
+ ### ADMX_W32Time policies
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md new file mode 100644 index 0000000000..f01336f9ad --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -0,0 +1,412 @@ +--- +title: Policy CSP - ADMX_CredentialProviders +description: Policy CSP - ADMX_CredentialProviders +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/11/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredentialProviders +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_CredentialProviders policies + +
+
+ ADMX_CredentialProviders/AllowDomainDelayLock +
+
+ ADMX_CredentialProviders/AllowSecurityKeySignIn +
+
+ ADMX_CredentialProviders/DefaultCredentialProvider +
+
+ ADMX_CredentialProviders/DefaultLogonDomain +
+
+ ADMX_CredentialProviders/ExcludedCredentialProviders +
+
+ + +
+ + +**ADMX_CredentialProviders/AllowDomainDelayLock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. + +If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + +If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. + +If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. + +If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to select when a password is required when resuming from connected standby* +- GP name: *AllowDomainDelayLock* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ + +**ADMX_CredentialProviders/AllowSecurityKeySignIn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether users can sign in using external security keys. + +If you enable this policy setting, users can sign in with external security keys. + +If you disable or don't configure this policy setting, users can't sign in with external security keys. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on security key sign-in* +- GP name: *AllowSecurityKeySignIn* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ + +**ADMX_CredentialProviders/DefaultCredentialProvider** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider. + +If you enable this policy setting, the specified credential provider is selected on other user tile. + +If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. + +> [!NOTE] +> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Assign a default credential provider* +- GP name: *DefaultCredentialProvider* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ + +**ADMX_CredentialProviders/DefaultLogonDomain** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a default logon domain, which might be a different domain than the domain to which the computer is joined. Without this policy setting, at logon, if a user does not specify a domain for logon, the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. + +If you enable this policy setting, the default logon domain is set to the specified domain, which might be different than the domain to which the computer is joined. + +If you disable or do not configure this policy setting, the default logon domain is always set to the domain to which the computer is joined. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Assign a default domain for logon* +- GP name: *DefaultLogonDomain* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ + +**ADMX_CredentialProviders/ExcludedCredentialProviders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication. + +> [!NOTE] +> Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). + +If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes. + +If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude credential providers* +- GP name: *ExcludedCredentialProviders* +- GP path: *System\Logon* +- GP ADMX file name: *CredentialProviders.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md new file mode 100644 index 0000000000..9247d038a8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -0,0 +1,185 @@ +--- +title: Policy CSP - ADMX_CredUI +description: Policy CSP - ADMX_CredUI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CredUI +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_CredUI policies + +
+
+ ADMX_CredUI/EnableSecureCredentialPrompting +
+
+ ADMX_CredUI/NoLocalPasswordResetQuestions +
+
+ + +
+ + +**ADMX_CredUI/EnableSecureCredentialPrompting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. + +> [!NOTE] +> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. + +If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. + +If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require trusted path for credential entry* +- GP name: *EnableSecureCredentialPrompting* +- GP path: *Windows Components\Credential User Interface* +- GP ADMX file name: *CredUI.admx* + + + +
+ + +**ADMX_CredUI/NoLocalPasswordResetQuestions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent the use of security questions for local accounts* +- GP name: *NoLocalPasswordResetQuestions* +- GP path: *Windows Components\Credential User Interface* +- GP ADMX file name: *CredUI.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md new file mode 100644 index 0000000000..66677dde93 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -0,0 +1,1997 @@ +--- +title: Policy CSP - ADMX_UserProfiles +description: Policy CSP - ADMX_UserProfiles +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/11/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_UserProfiles +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_UserProfiles policies + +
+
+ ADMX_UserProfiles/AddAdminGroupToRUP +
+
+ ADMX_UserProfiles/CleanupProfiles +
+
+ ADMX_UserProfiles/CompatibleRUPSecurity +
+
+ ADMX_UserProfiles/Connect_HomeDir_ToRoot +
+
+ ADMX_UserProfiles/CscSuspendDirectories +
+
+ ADMX_UserProfiles/DeleteRoamingCachedProfiles +
+
+ ADMX_UserProfiles/DontForceUnloadHive +
+
+ ADMX_UserProfiles/EnableSlowLinkDetect +
+
+ ADMX_UserProfiles/EnableSlowLinkUI +
+
+ ADMX_UserProfiles/ExcludeDirectories +
+
+ ADMX_UserProfiles/LeaveAppMgmtData +
+
+ ADMX_UserProfiles/LimitSize +
+
+ ADMX_UserProfiles/LocalProfile +
+
+ ADMX_UserProfiles/MachineProfilePath +
+
+ ADMX_UserProfiles/PrimaryComputer_RUP +
+
+ ADMX_UserProfiles/ProfileDlgTimeOut +
+
+ ADMX_UserProfiles/ProfileErrorAction +
+
+ ADMX_UserProfiles/ProfileUnloadTimeout +
+
+ ADMX_UserProfiles/Readonlyuserprofile +
+
+ ADMX_UserProfiles/SlowLinkDefault +
+
+ ADMX_UserProfiles/SlowLinkTimeOut +
+
+ ADMX_UserProfiles/USER_HOME +
+
+ ADMX_UserProfiles/UploadHive +
+
+ ADMX_UserProfiles/UserInfoAccessAction +
+
+ ADMX_UserProfiles/WaitForNetwork +
+
+ + +
+ + +**ADMX_UserProfiles/AddAdminGroupToRUP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting adds the Administrator security group to the roaming user profile share. + +Once an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. + +For the Windows XP Professional and Windows 2000 Professional operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the administrators group. + +By configuring this policy setting, you can alter this behavior. + +If you enable this policy setting, the administrator group is also given full control to the user's profile folder. + +If you disable or do not configure this policy setting, only the user is given full control of their user profile, and the administrators group has no file system access to this folder. + +> [!NOTE] +> If the policy setting is enabled after the profile is created, the policy setting has no effect. +> +> The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time. +> +> In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions. +> +> The behavior when this policy setting is enabled is exactly the same behavior as in Windows NT 4.0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add the Administrators security group to roaming user profiles* +- GP name: *AddAdminGroupToRUP* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/CleanupProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed. + +If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. + +If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Delete user profiles older than a specified number of days on system restart* +- GP name: *CleanupProfiles* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/CompatibleRUPSecurity** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the more secure default setting for the user's roaming user profile folder. + +After an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. + +For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating systems, the default file permissions for the newly generated profile are full control access for the user and no file access for the administrators group. No checks are made for the correct permissions if the profile folder already exists. For Windows Server 2003 family, Windows 2000 Professional SP4 and Windows XP SP1, the default behavior is to check the folder for the correct permissions if the profile folder already exists, and not copy files to or from the roaming folder if the permissions are not correct. + +By configuring this policy setting, you can alter this behavior. + +If you enable this policy setting Windows will not check the permissions for the folder in the case where the folder exists. + +If you disable or do not configure this policy setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folder, Windows will not copy files to or from the roaming folder. The user will be shown an error message and an entry will be written to the event log. The user's cached profile will be used, or a temporary profile issued if no cached profile exists. + +> [!NOTE] +> The policy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creation time. +> +> The behavior when this policy setting is enabled is exactly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not check for user ownership of Roaming Profile Folders* +- GP name: *CompatibleRUPSecurity* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/Connect_HomeDir_ToRoot** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in Windows NT 4.0 and earlier. Along with %HOMEDRIVE%, these variables define the home directory of a user profile. The home directory is a persistent mapping of a drive letter on the local computer to a local or remote directory. + +If you enable this policy setting, the system uses the Windows NT 4.0 definitions. %HOMESHARE% stores only the network share (such as \\\server\share). %HOMEPATH% stores the remainder of the fully qualified path to the home directory (such as \dir1\dir2\homedir). As a result, users can access any directory on the home share by using the home directory drive letter. + +If you disable or do not configure this policy setting, the system uses the definitions introduced with Windows 2000. %HOMESHARE% stores the fully qualified path to the home directory (such as \\\\server\share\dir1\dir2\homedir). Users can access the home directory and any of its subdirectories from the home drive letter, but they cannot see or access its parent directories. %HOMEPATH% stores a final backslash and is included for compatibility with earlier systems. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Connect home directory to root of the share* +- GP name: *Connect_HomeDir_ToRoot* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/CscSuspendDirectories** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which network directories will be synchronized only at logon and logoff via Offline Files. This policy setting is meant to be used in conjunction with Folder Redirection, to help resolve issues with applications that do not work well with Offline Files while the user is online. + +If you enable this policy setting, the network paths specified in this policy setting will be synchronized only by Offline Files during user logon and logoff, and will be taken offline while the user is logged on. + +If you disable or do not configure this policy setting, the paths specified in this policy setting will behave like any other cached data via Offline Files and continue to remain online while the user is logged on, if the network paths are accessible. + +> [!NOTE] +> You should not use this policy setting to suspend any of the root redirected folders such as Appdata\Roaming, Start Menu, and Documents. You should suspend only the subfolders of these parent folders. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify network directories to sync at logon/logoff time only* +- GP name: *CscSuspendDirectories* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/DeleteRoamingCachedProfiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off. + +Roaming profiles reside on a network server. By default, when users with roaming profiles log off, the system also saves a copy of their roaming profile on the hard drive of the computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local copy is also used when the remote copy of the roaming user profile is slow to load. + +If you enable this policy setting, any local copies of the user's roaming profile are deleted when the user logs off. The roaming profile still remains on the network server that stores it. + +If you disable or do not configure this policy setting, Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off. + +> [!IMPORTANT] +> Do not enable this policy setting if you are using the slow link detection feature. To respond to a slow link, the system requires a local copy of the user's roaming profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Delete cached copies of roaming profiles* +- GP name: *DeleteRoamingCachedProfiles* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/DontForceUnloadHive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. + +Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. + +If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. + +If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not forcefully unload the users registry at user logoff* +- GP name: *DontForceUnloadHive* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/EnableSlowLinkDetect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting disables the detection of slow network connections. + +Slow link detection measures the speed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system detects a slow link, the related policy settings in this folder tell the computer how to respond. + +If you enable this policy setting, the system does not detect slow connections or recognize any connections as being slow. As a result, the system does not respond to slow connections to user profiles, and it ignores the policy settings that tell the system how to respond to a slow connection. + +If you disable this policy setting or do not configure it, slow link detection is enabled. The system measures the speed of the connection between the user's computer and profile server. If the connection is slow (as defined by the "Slow network connection timeout for user profiles" policy setting), the system applies the other policy settings set in this folder to determine how to proceed. By default, when the connection is slow, the system loads the local copy of the user profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable detection of slow network connections* +- GP name: *EnableSlowLinkDetect* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/EnableSlowLinkUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting provides users with the ability to download their roaming profile, even when a slow network connection with their roaming profile server is detected. + +If you enable this policy setting, users will be allowed to define whether they want their roaming profile to be downloaded when a slow link with their roaming profile server is detected. + +In operating systems earlier than Microsoft Windows Vista, a dialog box will be shown to the user during logon if a slow network connection is detected. The user then is able to choose to download the remote copy of the user profile. In Microsoft Windows Vista, a check box appears on the logon screen and the user must choose whether to download the remote user profile before Windows detects the network connection speed. + +If you disable or do not configure this policy setting, the system does not consult the user. Instead, the system uses the local copy of the user profile. If you have enabled the "Wait for remote user profile" policy setting, the system downloads the remote copy of the user profile without consulting the user. In Microsoft Windows Vista, the system will ignore the user choice made on the logon screen. + +> [!NOTE] +> This policy setting and related policy settings in this folder define the system's response when roaming user profiles are slow to download. To adjust the time within which the user must respond to this notice in operating systems earlier than Microsoft Windows Vista, use the "Timeout for dialog boxes" policy setting. + +> [!IMPORTANT] +> If the "Do not detect slow network connections" setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prompt user when a slow network connection is detected* +- GP name: *EnableSlowLinkUI* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/ExcludeDirectories** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you exclude folders that are normally included in the user's profile. As a result, these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers. + +> [!NOTE] +> When excluding content from the profile you should try to exclude the narrowest set of data that will address your needs. For example, if there is one application with data that should not be roamed then add only that application's specific folder under the AppData\Roaming folder rather than all of the AppData\Roaming folder to the exclusion list. + +By default, the Appdata\Local and Appdata\LocalLow folders and all their subfolders such as the History, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile. + +In operating systems earlier than Microsoft Windows Vista, only the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile by default. + +If you enable this policy setting, you can exclude additional folders. + +If you disable this policy setting or do not configure it, only the default folders are excluded. + +> [!NOTE] +> You cannot use this policy setting to include the default folders in a roaming user profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude directories in roaming profile* +- GP name: *ExcludeDirectories* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/LeaveAppMgmtData** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. + +By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. + +If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. + +If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. + +> [!NOTE] +> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Leave Windows Installer and Group Policy Software Installation Data* +- GP name: *LeaveAppMgmtData* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/LimitSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. + +If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. + +If you enable this policy setting, you can: + +- Set a maximum permitted user profile size. +- Determine whether the registry files are included in the calculation of the profile size. +- Determine whether users are notified when the profile exceeds the permitted maximum size. +- Specify a customized message notifying users of the oversized profile. +- Determine how often the customized message is displayed. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit profile size* +- GP name: *LimitSize* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/LocalProfile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile. + +Using the setting, you can prevent users configured to use roaming profiles from receiving their profile on a specific computer. + +If you enable this setting, the following occurs on the affected computer: At first logon, the user receives a new local profile, rather than the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile. + +If you disable this setting or do not configure it, the default behavior occurs, as indicated above. + +If you enable both the "Prevent Roaming Profile changes from propagating to the server" setting and the "Only allow local user profiles" setting, roaming profiles are disabled. + +> [!NOTE] +> This setting only affects roaming profile users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Only allow local user profiles* +- GP name: *LocalProfile* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/MachineProfilePath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should use the specified network path as the roaming user profile path for all users logging onto this computer. + +To use this policy setting, type the path to the network share in the form \\\\Computername\Sharename\. It is recommended to use a path such as \\\\Computername\Sharename\%USERNAME% to give each user an individual profile folder. If not specified, all users logging onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appropriate security on the folder to allow all users to access the profile. + +If you enable this policy setting, all users logging on this computer will use the roaming profile path specified in this policy. + +If you disable or do not configure this policy setting, users logging on this computer will use their local profile or standard roaming user profile. + +> [!NOTE] +> There are four ways to configure a roaming profile for a user. Windows reads profile configuration in the following order and uses the first configured policy setting it reads. + +1. Terminal Services roaming profile path specified by Terminal Services policy +2. Terminal Services roaming profile path specified by the user object +3. A per-computer roaming profile path specified in this policy +4. A per-user roaming profile path specified in the user object + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set roaming profile path for all users logging onto this computer* +- GP name: *MachineProfilePath* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/PrimaryComputer_RUP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. + +To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. + +If you enable this policy setting and the user has a roaming profile, the roaming profile is downloaded on the user's primary computer only. + +If you disable or do not configure this policy setting and the user has a roaming profile, the roaming profile is downloaded on every computer that the user logs on to. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Download roaming profiles on primary computers only* +- GP name: *PrimaryComputer_RUP* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/ProfileDlgTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls how long Windows waits for a user response before it uses a default user profile for roaming user profiles. + +The default user profile is applied when the user does not respond to messages explaining that any of the following events has occurred: + +- The system detects a slow connection between the user's computer and the server that stores users' roaming user profiles. +- The system cannot access users' server-based profiles when users log on or off. +- Users' local profiles are newer than their server-based profiles. + +If you enable this policy setting, you can override the amount of time Windows waits for user input before using a default user profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting, type the number of seconds Windows should wait for user input. The minumum value is 0 seconds, and the maximum is 600 seconds. + +If you disable or do not configure this policy setting, Windows waits 30 seconds for user input before applying the default user profile . + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Establish timeout value for dialog boxes* +- GP name: *ProfileDlgTimeOut* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/ProfileErrorAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile. + +If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile. + +If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. + +If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. + +Also, see the "Delete cached copies of roaming profiles" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not log users on with temporary profiles* +- GP name: *ProfileErrorAction* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/ProfileUnloadTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how many times the system tries to unload and update the registry portion of a user profile. When the number of trials specified by this policy setting is exhausted, the system stops trying. As a result, the user profile might not be current, and local and roaming user profiles might not match. + +When a user logs off of the computer, the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file (NTUSER.DAT) and updates it. However, if another program or service is reading or editing the registry, the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the registry settings. By default, the system repeats its periodic attempts 60 times (over the course of one minute). + +If you enable this policy setting, you can adjust the number of times the system tries to unload and update the user's registry settings. (You cannot adjust the retry rate.) + +If you disable this policy setting or do not configure it, the system repeats its attempt 60 times. + +If you set the number of retries to 0, the system tries just once to unload and update the user's registry settings. It does not try again. + +> [!NOTE] +> This policy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop Services edits the users' registry settings when they log off, the system's first few attempts to unload the user settings are more likely to fail. + +This policy setting does not affect the system's attempts to update the files in the user profile. + +> [!TIP] +> Consider increasing the number of retries specified in this policy setting if there are many user profiles stored in the computer's memory. This indicates that the system has not been able to unload the profile. + +Also, check the Application Log in Event Viewer for events generated by Userenv. The system records an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fails to update the files in a user profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum retries to unload and update user profile* +- GP name: *ProfileUnloadTimeout* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/Readonlyuserprofile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. + +By default, when a user with a roaming profile logs on to a computer, the roaming profile is copied down to the local computer. If the user has logged on to the computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. + +Using this policy setting, you can prevent changes made to a roaming profile on a particular computer from being persisted. + +If you enable this policy setting, changes a user makes to their roaming profile aren't merged with the server (roaming) copy when the user logs off. + +If you disable or not configure this policy setting, the default behavior occurs, as indicated above. + +> [!NOTE] +> This policy setting only affects roaming profile users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Roaming Profile changes from propagating to the server* +- GP name: *Readonlyuserprofile* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/SlowLinkDefault** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection, but does not respond in the time allowed. + +This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. + +If you enable this policy setting, the system waits for the remote copy of the roaming user profile to load, even when loading is slow. + +If you disable this policy setting or do not configure it, when a remote profile is slow to load, the system loads the local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the "Prompt user when slow link is detected" policy setting), but does not respond in the time allowed (as set in the "Timeout for dialog boxes" policy setting). + +Waiting for the remote profile is appropriate when users move between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when quick logging on is a priority. + +> [!IMPORTANT] +> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Wait for remote user profile* +- GP name: *SlowLinkDefault* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/SlowLinkTimeOut** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. + +To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's latency and connection speed are determined. + +This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. + +If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. + +If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control slow network connection timeout for user profiles* +- GP name: *SlowLinkTimeOut* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/USER_HOME** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. + +If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. + +To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\\\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. + +Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon. + +> [!NOTE] +> The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. + +If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. + +If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set user home folder* +- GP name: *USER_HOME* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/UploadHive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting sets the schedule for background uploading of a roaming user profile's registry file (ntuser.dat). This policy setting controls only the uploading of a roaming user profile's registry file (other user data and regular profiles are not be uploaded) and uploads it only if the user is logged on. This policy setting does not stop the roaming user profile's registry file from being uploaded at user logoff. + +If "Run at set interval" is chosen, then an interval must be set, with a value of 1-720 hours. Once set, Windows uploads the profile's registry file at the specified interval after the user logs on. For example, with a value of 6 hours, the registry file of the roaming user profile is uploaded to the server every six hours while the user is logged on. + +If "Run at specified time of day" is chosen, then a time of day must be specified. Once set, Windows uploads the registry file at the same time every day, as long as the user is logged on. + +For both scheduling options, there is a random one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example, if the settings dictate that the user's registry file is to be uploaded at 6pm, it will actually upload at a random time between 6pm and 7pm. + +> [!NOTE] +> If "Run at set interval" is selected, the "Time of day" option is disregarded. Likewise, if "Run at set time of day" is chosen, the "Interval (hours)" option is disregarded. + +If you enable this policy setting, Windows uploads the registry file of the user's roaming user profile in the background according to the schedule set here while the user is logged on. Regular profiles are not affected. + +If this setting is disabled or not configured, the registry file for a roaming user profile will not be uploaded in the background while the user is logged on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the schedule for background upload of a roaming user profile's registry file while user is logged on* +- GP name: *UploadHive* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/UserInfoAccessAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. + +If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: + +- "Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. + +- "Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. + +If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *User management of sharing user name, account picture, and domain information with apps (not desktop apps)* +- GP name: *UserInfoAccessAction* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ + +**ADMX_UserProfiles/WaitForNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls how long Windows waits for a response from the network before logging on a user without a remote home directory and withou synchronizing roaming user profiles. This policy setting is useful for the cases in which a network might take typically longer to initialize, such as with a wireless network. + +> [!NOTE] +> Windows doesn't wait for the network if the physical network connection is not available on the computer (if the media is disconnected or the network adapter is not available). + +If you enable this policy setting, Windows waits for the network to become available up to the maximum wait time specified in this policy setting. Setting the value to zero causes Windows to proceed without waiting for the network. + +If you disable or do not configure this policy setting, Windows waits for the network for a maximum of 30 seconds. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set maximum wait time for the network if a user has a roaming user profile or remote home directory* +- GP name: *WaitForNetwork* +- GP path: *System\User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + From 9a60e56f3611913ea93c87acb3b6023c8d38d885 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 20 Nov 2020 11:36:43 -0800 Subject: [PATCH 7/8] Removed deprecated policies --- .../mdm/policies-in-policy-csp-admx-backed.md | 19 - .../policy-configuration-service-provider.md | 57 - .../policy-csp-admx-credentialproviders.md | 143 -- .../mdm/policy-csp-admx-userprofiles.md | 1342 ----------------- 4 files changed, 1561 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index d9c44122bd..1f50c812bc 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -101,9 +101,7 @@ ms.date: 10/08/2020 - [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock) -- [ADMX_CredentialProviders/AllowSecurityKeySignIn](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowsecuritykeysignin) - [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider) -- [ADMX_CredentialProviders/DefaultLogonDomain](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultlogondomain) - [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders) - [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting) - [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions) @@ -723,31 +721,14 @@ ms.date: 10/08/2020 - [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video) - [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather) - [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad) -- [ADMX_UserProfiles/AddAdminGroupToRUP](./policy-csp-admx-userprofiles.md#admx-userprofiles-addadmingrouptorup) - [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles) -- [ADMX_UserProfiles/CompatibleRUPSecurity](./policy-csp-admx-userprofiles.md#admx-userprofiles-compatiblerupsecurity) -- [ADMX_UserProfiles/Connect_HomeDir_ToRoot](./policy-csp-admx-userprofiles.md#admx-userprofiles-connect-homedir-toroot) -- [ADMX_UserProfiles/CscSuspendDirectories](./policy-csp-admx-userprofiles.md#admx-userprofiles-cscsuspenddirectories) -- [ADMX_UserProfiles/DeleteRoamingCachedProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-deleteroamingcachedprofiles) - [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive) -- [ADMX_UserProfiles/EnableSlowLinkDetect](./policy-csp-admx-userprofiles.md#admx-userprofiles-enableslowlinkdetect) -- [ADMX_UserProfiles/EnableSlowLinkUI](./policy-csp-admx-userprofiles.md#admx-userprofiles-enableslowlinkui) -- [ADMX_UserProfiles/ExcludeDirectories](./policy-csp-admx-userprofiles.md#admx-userprofiles-excludedirectories) - [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata) - [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize) -- [ADMX_UserProfiles/LocalProfile](./policy-csp-admx-userprofiles.md#admx-userprofiles-localprofile) -- [ADMX_UserProfiles/MachineProfilePath](./policy-csp-admx-userprofiles.md#admx-userprofiles-machineprofilepath) -- [ADMX_UserProfiles/PrimaryComputer_RUP](./policy-csp-admx-userprofiles.md#admx-userprofiles-primarycomputer-rup) -- [ADMX_UserProfiles/ProfileDlgTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-profiledlgtimeout) - [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction) -- [ADMX_UserProfiles/ProfileUnloadTimeout](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileunloadtimeout) -- [ADMX_UserProfiles/Readonlyuserprofile](./policy-csp-admx-userprofiles.md#admx-userprofiles-readonlyuserprofile) -- [ADMX_UserProfiles/SlowLinkDefault](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinkdefault) - [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout) - [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home) -- [ADMX_UserProfiles/UploadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-uploadhive) - [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction) -- [ADMX_UserProfiles/WaitForNetwork](./policy-csp-admx-userprofiles.md#admx-userprofiles-waitfornetwork) - [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config) - [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c4ea4193bf..99fad505b6 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -485,15 +485,9 @@ The following diagram shows the Policy configuration service provider in tree fo
ADMX_CredentialProviders/AllowDomainDelayLock
-
- ADMX_CredentialProviders/AllowSecurityKeySignIn -
ADMX_CredentialProviders/DefaultCredentialProvider
-
- ADMX_CredentialProviders/DefaultLogonDomain -
ADMX_CredentialProviders/ExcludedCredentialProviders
@@ -2546,81 +2540,30 @@ The following diagram shows the Policy configuration service provider in tree fo ### ADMX_UserProfiles policies
-
- ADMX_UserProfiles/AddAdminGroupToRUP -
ADMX_UserProfiles/CleanupProfiles
-
- ADMX_UserProfiles/CompatibleRUPSecurity -
-
- ADMX_UserProfiles/Connect_HomeDir_ToRoot -
-
- ADMX_UserProfiles/CscSuspendDirectories -
-
- ADMX_UserProfiles/DeleteRoamingCachedProfiles -
ADMX_UserProfiles/DontForceUnloadHive
-
- ADMX_UserProfiles/EnableSlowLinkDetect -
-
- ADMX_UserProfiles/EnableSlowLinkUI -
-
- ADMX_UserProfiles/ExcludeDirectories -
ADMX_UserProfiles/LeaveAppMgmtData
ADMX_UserProfiles/LimitSize
-
- ADMX_UserProfiles/LocalProfile -
-
- ADMX_UserProfiles/MachineProfilePath -
-
- ADMX_UserProfiles/PrimaryComputer_RUP -
-
- ADMX_UserProfiles/ProfileDlgTimeOut -
ADMX_UserProfiles/ProfileErrorAction
-
- ADMX_UserProfiles/ProfileUnloadTimeout -
-
- ADMX_UserProfiles/Readonlyuserprofile -
-
- ADMX_UserProfiles/SlowLinkDefault -
ADMX_UserProfiles/SlowLinkTimeOut
ADMX_UserProfiles/USER_HOME
-
- ADMX_UserProfiles/UploadHive -
ADMX_UserProfiles/UserInfoAccessAction
-
- ADMX_UserProfiles/WaitForNetwork -
### ADMX_W32Time policies diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index f01336f9ad..1dcc21ec35 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -25,15 +25,9 @@ manager: dansimp
ADMX_CredentialProviders/AllowDomainDelayLock
-
- ADMX_CredentialProviders/AllowSecurityKeySignIn -
ADMX_CredentialProviders/DefaultCredentialProvider
-
- ADMX_CredentialProviders/DefaultLogonDomain -
ADMX_CredentialProviders/ExcludedCredentialProviders
@@ -115,75 +109,6 @@ ADMX Info:
- -**ADMX_CredentialProviders/AllowSecurityKeySignIn** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether users can sign in using external security keys. - -If you enable this policy setting, users can sign in with external security keys. - -If you disable or don't configure this policy setting, users can't sign in with external security keys. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn on security key sign-in* -- GP name: *AllowSecurityKeySignIn* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* - - - -
- **ADMX_CredentialProviders/DefaultCredentialProvider** @@ -256,74 +181,6 @@ ADMX Info:
- -**ADMX_CredentialProviders/DefaultLogonDomain** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a default logon domain, which might be a different domain than the domain to which the computer is joined. Without this policy setting, at logon, if a user does not specify a domain for logon, the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. - -If you enable this policy setting, the default logon domain is set to the specified domain, which might be different than the domain to which the computer is joined. - -If you disable or do not configure this policy setting, the default logon domain is always set to the domain to which the computer is joined. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Assign a default domain for logon* -- GP name: *DefaultLogonDomain* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* - - - -
**ADMX_CredentialProviders/ExcludedCredentialProviders** diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 66677dde93..f435439049 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -22,170 +22,35 @@ manager: dansimp ## ADMX_UserProfiles policies
-
- ADMX_UserProfiles/AddAdminGroupToRUP -
ADMX_UserProfiles/CleanupProfiles
-
- ADMX_UserProfiles/CompatibleRUPSecurity -
-
- ADMX_UserProfiles/Connect_HomeDir_ToRoot -
-
- ADMX_UserProfiles/CscSuspendDirectories -
-
- ADMX_UserProfiles/DeleteRoamingCachedProfiles -
ADMX_UserProfiles/DontForceUnloadHive
-
- ADMX_UserProfiles/EnableSlowLinkDetect -
-
- ADMX_UserProfiles/EnableSlowLinkUI -
-
- ADMX_UserProfiles/ExcludeDirectories -
ADMX_UserProfiles/LeaveAppMgmtData
ADMX_UserProfiles/LimitSize
-
- ADMX_UserProfiles/LocalProfile -
-
- ADMX_UserProfiles/MachineProfilePath -
-
- ADMX_UserProfiles/PrimaryComputer_RUP -
-
- ADMX_UserProfiles/ProfileDlgTimeOut -
ADMX_UserProfiles/ProfileErrorAction
-
- ADMX_UserProfiles/ProfileUnloadTimeout -
-
- ADMX_UserProfiles/Readonlyuserprofile -
-
- ADMX_UserProfiles/SlowLinkDefault -
ADMX_UserProfiles/SlowLinkTimeOut
ADMX_UserProfiles/USER_HOME
-
- ADMX_UserProfiles/UploadHive -
ADMX_UserProfiles/UserInfoAccessAction
-
- ADMX_UserProfiles/WaitForNetwork -
- -**ADMX_UserProfiles/AddAdminGroupToRUP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting adds the Administrator security group to the roaming user profile share. - -Once an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. - -For the Windows XP Professional and Windows 2000 Professional operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the administrators group. - -By configuring this policy setting, you can alter this behavior. - -If you enable this policy setting, the administrator group is also given full control to the user's profile folder. - -If you disable or do not configure this policy setting, only the user is given full control of their user profile, and the administrators group has no file system access to this folder. - -> [!NOTE] -> If the policy setting is enabled after the profile is created, the policy setting has no effect. -> -> The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time. -> -> In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions. -> -> The behavior when this policy setting is enabled is exactly the same behavior as in Windows NT 4.0. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Add the Administrators security group to roaming user profiles* -- GP name: *AddAdminGroupToRUP* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/CleanupProfiles** @@ -255,301 +120,6 @@ ADMX Info:
- -**ADMX_UserProfiles/CompatibleRUPSecurity** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the more secure default setting for the user's roaming user profile folder. - -After an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. - -For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating systems, the default file permissions for the newly generated profile are full control access for the user and no file access for the administrators group. No checks are made for the correct permissions if the profile folder already exists. For Windows Server 2003 family, Windows 2000 Professional SP4 and Windows XP SP1, the default behavior is to check the folder for the correct permissions if the profile folder already exists, and not copy files to or from the roaming folder if the permissions are not correct. - -By configuring this policy setting, you can alter this behavior. - -If you enable this policy setting Windows will not check the permissions for the folder in the case where the folder exists. - -If you disable or do not configure this policy setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folder, Windows will not copy files to or from the roaming folder. The user will be shown an error message and an entry will be written to the event log. The user's cached profile will be used, or a temporary profile issued if no cached profile exists. - -> [!NOTE] -> The policy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creation time. -> -> The behavior when this policy setting is enabled is exactly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not check for user ownership of Roaming Profile Folders* -- GP name: *CompatibleRUPSecurity* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/Connect_HomeDir_ToRoot** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in Windows NT 4.0 and earlier. Along with %HOMEDRIVE%, these variables define the home directory of a user profile. The home directory is a persistent mapping of a drive letter on the local computer to a local or remote directory. - -If you enable this policy setting, the system uses the Windows NT 4.0 definitions. %HOMESHARE% stores only the network share (such as \\\server\share). %HOMEPATH% stores the remainder of the fully qualified path to the home directory (such as \dir1\dir2\homedir). As a result, users can access any directory on the home share by using the home directory drive letter. - -If you disable or do not configure this policy setting, the system uses the definitions introduced with Windows 2000. %HOMESHARE% stores the fully qualified path to the home directory (such as \\\\server\share\dir1\dir2\homedir). Users can access the home directory and any of its subdirectories from the home drive letter, but they cannot see or access its parent directories. %HOMEPATH% stores a final backslash and is included for compatibility with earlier systems. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Connect home directory to root of the share* -- GP name: *Connect_HomeDir_ToRoot* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/CscSuspendDirectories** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which network directories will be synchronized only at logon and logoff via Offline Files. This policy setting is meant to be used in conjunction with Folder Redirection, to help resolve issues with applications that do not work well with Offline Files while the user is online. - -If you enable this policy setting, the network paths specified in this policy setting will be synchronized only by Offline Files during user logon and logoff, and will be taken offline while the user is logged on. - -If you disable or do not configure this policy setting, the paths specified in this policy setting will behave like any other cached data via Offline Files and continue to remain online while the user is logged on, if the network paths are accessible. - -> [!NOTE] -> You should not use this policy setting to suspend any of the root redirected folders such as Appdata\Roaming, Start Menu, and Documents. You should suspend only the subfolders of these parent folders. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Specify network directories to sync at logon/logoff time only* -- GP name: *CscSuspendDirectories* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/DeleteRoamingCachedProfiles** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off. - -Roaming profiles reside on a network server. By default, when users with roaming profiles log off, the system also saves a copy of their roaming profile on the hard drive of the computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local copy is also used when the remote copy of the roaming user profile is slow to load. - -If you enable this policy setting, any local copies of the user's roaming profile are deleted when the user logs off. The roaming profile still remains on the network server that stores it. - -If you disable or do not configure this policy setting, Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off. - -> [!IMPORTANT] -> Do not enable this policy setting if you are using the slow link detection feature. To respond to a slow link, the system requires a local copy of the user's roaming profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Delete cached copies of roaming profiles* -- GP name: *DeleteRoamingCachedProfiles* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/DontForceUnloadHive** @@ -621,233 +191,6 @@ ADMX Info:
- -**ADMX_UserProfiles/EnableSlowLinkDetect** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the detection of slow network connections. - -Slow link detection measures the speed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system detects a slow link, the related policy settings in this folder tell the computer how to respond. - -If you enable this policy setting, the system does not detect slow connections or recognize any connections as being slow. As a result, the system does not respond to slow connections to user profiles, and it ignores the policy settings that tell the system how to respond to a slow connection. - -If you disable this policy setting or do not configure it, slow link detection is enabled. The system measures the speed of the connection between the user's computer and profile server. If the connection is slow (as defined by the "Slow network connection timeout for user profiles" policy setting), the system applies the other policy settings set in this folder to determine how to proceed. By default, when the connection is slow, the system loads the local copy of the user profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Disable detection of slow network connections* -- GP name: *EnableSlowLinkDetect* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/EnableSlowLinkUI** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting provides users with the ability to download their roaming profile, even when a slow network connection with their roaming profile server is detected. - -If you enable this policy setting, users will be allowed to define whether they want their roaming profile to be downloaded when a slow link with their roaming profile server is detected. - -In operating systems earlier than Microsoft Windows Vista, a dialog box will be shown to the user during logon if a slow network connection is detected. The user then is able to choose to download the remote copy of the user profile. In Microsoft Windows Vista, a check box appears on the logon screen and the user must choose whether to download the remote user profile before Windows detects the network connection speed. - -If you disable or do not configure this policy setting, the system does not consult the user. Instead, the system uses the local copy of the user profile. If you have enabled the "Wait for remote user profile" policy setting, the system downloads the remote copy of the user profile without consulting the user. In Microsoft Windows Vista, the system will ignore the user choice made on the logon screen. - -> [!NOTE] -> This policy setting and related policy settings in this folder define the system's response when roaming user profiles are slow to download. To adjust the time within which the user must respond to this notice in operating systems earlier than Microsoft Windows Vista, use the "Timeout for dialog boxes" policy setting. - -> [!IMPORTANT] -> If the "Do not detect slow network connections" setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Prompt user when a slow network connection is detected* -- GP name: *EnableSlowLinkUI* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/ExcludeDirectories** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you exclude folders that are normally included in the user's profile. As a result, these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers. - -> [!NOTE] -> When excluding content from the profile you should try to exclude the narrowest set of data that will address your needs. For example, if there is one application with data that should not be roamed then add only that application's specific folder under the AppData\Roaming folder rather than all of the AppData\Roaming folder to the exclusion list. - -By default, the Appdata\Local and Appdata\LocalLow folders and all their subfolders such as the History, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile. - -In operating systems earlier than Microsoft Windows Vista, only the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile by default. - -If you enable this policy setting, you can exclude additional folders. - -If you disable this policy setting or do not configure it, only the default folders are excluded. - -> [!NOTE] -> You cannot use this policy setting to include the default folders in a roaming user profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Exclude directories in roaming profile* -- GP name: *ExcludeDirectories* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/LeaveAppMgmtData** @@ -1000,307 +343,6 @@ ADMX Info:
- -**ADMX_UserProfiles/LocalProfile** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile. - -Using the setting, you can prevent users configured to use roaming profiles from receiving their profile on a specific computer. - -If you enable this setting, the following occurs on the affected computer: At first logon, the user receives a new local profile, rather than the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile. - -If you disable this setting or do not configure it, the default behavior occurs, as indicated above. - -If you enable both the "Prevent Roaming Profile changes from propagating to the server" setting and the "Only allow local user profiles" setting, roaming profiles are disabled. - -> [!NOTE] -> This setting only affects roaming profile users. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Only allow local user profiles* -- GP name: *LocalProfile* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/MachineProfilePath** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should use the specified network path as the roaming user profile path for all users logging onto this computer. - -To use this policy setting, type the path to the network share in the form \\\\Computername\Sharename\. It is recommended to use a path such as \\\\Computername\Sharename\%USERNAME% to give each user an individual profile folder. If not specified, all users logging onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appropriate security on the folder to allow all users to access the profile. - -If you enable this policy setting, all users logging on this computer will use the roaming profile path specified in this policy. - -If you disable or do not configure this policy setting, users logging on this computer will use their local profile or standard roaming user profile. - -> [!NOTE] -> There are four ways to configure a roaming profile for a user. Windows reads profile configuration in the following order and uses the first configured policy setting it reads. - -1. Terminal Services roaming profile path specified by Terminal Services policy -2. Terminal Services roaming profile path specified by the user object -3. A per-computer roaming profile path specified in this policy -4. A per-user roaming profile path specified in the user object - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set roaming profile path for all users logging onto this computer* -- GP name: *MachineProfilePath* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/PrimaryComputer_RUP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. - -To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. - -If you enable this policy setting and the user has a roaming profile, the roaming profile is downloaded on the user's primary computer only. - -If you disable or do not configure this policy setting and the user has a roaming profile, the roaming profile is downloaded on every computer that the user logs on to. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Download roaming profiles on primary computers only* -- GP name: *PrimaryComputer_RUP* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/ProfileDlgTimeOut** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls how long Windows waits for a user response before it uses a default user profile for roaming user profiles. - -The default user profile is applied when the user does not respond to messages explaining that any of the following events has occurred: - -- The system detects a slow connection between the user's computer and the server that stores users' roaming user profiles. -- The system cannot access users' server-based profiles when users log on or off. -- Users' local profiles are newer than their server-based profiles. - -If you enable this policy setting, you can override the amount of time Windows waits for user input before using a default user profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting, type the number of seconds Windows should wait for user input. The minumum value is 0 seconds, and the maximum is 600 seconds. - -If you disable or do not configure this policy setting, Windows waits 30 seconds for user input before applying the default user profile . - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Establish timeout value for dialog boxes* -- GP name: *ProfileDlgTimeOut* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/ProfileErrorAction** @@ -1374,241 +416,6 @@ ADMX Info:
- -**ADMX_UserProfiles/ProfileUnloadTimeout** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how many times the system tries to unload and update the registry portion of a user profile. When the number of trials specified by this policy setting is exhausted, the system stops trying. As a result, the user profile might not be current, and local and roaming user profiles might not match. - -When a user logs off of the computer, the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file (NTUSER.DAT) and updates it. However, if another program or service is reading or editing the registry, the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the registry settings. By default, the system repeats its periodic attempts 60 times (over the course of one minute). - -If you enable this policy setting, you can adjust the number of times the system tries to unload and update the user's registry settings. (You cannot adjust the retry rate.) - -If you disable this policy setting or do not configure it, the system repeats its attempt 60 times. - -If you set the number of retries to 0, the system tries just once to unload and update the user's registry settings. It does not try again. - -> [!NOTE] -> This policy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop Services edits the users' registry settings when they log off, the system's first few attempts to unload the user settings are more likely to fail. - -This policy setting does not affect the system's attempts to update the files in the user profile. - -> [!TIP] -> Consider increasing the number of retries specified in this policy setting if there are many user profiles stored in the computer's memory. This indicates that the system has not been able to unload the profile. - -Also, check the Application Log in Event Viewer for events generated by Userenv. The system records an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fails to update the files in a user profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Maximum retries to unload and update user profile* -- GP name: *ProfileUnloadTimeout* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/Readonlyuserprofile** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. - -By default, when a user with a roaming profile logs on to a computer, the roaming profile is copied down to the local computer. If the user has logged on to the computer in the past, the roaming profile is merged with the local profile. Similarly, when the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. - -Using this policy setting, you can prevent changes made to a roaming profile on a particular computer from being persisted. - -If you enable this policy setting, changes a user makes to their roaming profile aren't merged with the server (roaming) copy when the user logs off. - -If you disable or not configure this policy setting, the default behavior occurs, as indicated above. - -> [!NOTE] -> This policy setting only affects roaming profile users. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Prevent Roaming Profile changes from propagating to the server* -- GP name: *Readonlyuserprofile* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- - -**ADMX_UserProfiles/SlowLinkDefault** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection, but does not respond in the time allowed. - -This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. - -If you enable this policy setting, the system waits for the remote copy of the roaming user profile to load, even when loading is slow. - -If you disable this policy setting or do not configure it, when a remote profile is slow to load, the system loads the local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the "Prompt user when slow link is detected" policy setting), but does not respond in the time allowed (as set in the "Timeout for dialog boxes" policy setting). - -Waiting for the remote profile is appropriate when users move between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when quick logging on is a priority. - -> [!IMPORTANT] -> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Wait for remote user profile* -- GP name: *SlowLinkDefault* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/SlowLinkTimeOut** @@ -1760,84 +567,6 @@ ADMX Info:
- -**ADMX_UserProfiles/UploadHive** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting sets the schedule for background uploading of a roaming user profile's registry file (ntuser.dat). This policy setting controls only the uploading of a roaming user profile's registry file (other user data and regular profiles are not be uploaded) and uploads it only if the user is logged on. This policy setting does not stop the roaming user profile's registry file from being uploaded at user logoff. - -If "Run at set interval" is chosen, then an interval must be set, with a value of 1-720 hours. Once set, Windows uploads the profile's registry file at the specified interval after the user logs on. For example, with a value of 6 hours, the registry file of the roaming user profile is uploaded to the server every six hours while the user is logged on. - -If "Run at specified time of day" is chosen, then a time of day must be specified. Once set, Windows uploads the registry file at the same time every day, as long as the user is logged on. - -For both scheduling options, there is a random one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example, if the settings dictate that the user's registry file is to be uploaded at 6pm, it will actually upload at a random time between 6pm and 7pm. - -> [!NOTE] -> If "Run at set interval" is selected, the "Time of day" option is disregarded. Likewise, if "Run at set time of day" is chosen, the "Interval (hours)" option is disregarded. - -If you enable this policy setting, Windows uploads the registry file of the user's roaming user profile in the background according to the schedule set here while the user is logged on. Regular profiles are not affected. - -If this setting is disabled or not configured, the registry file for a roaming user profile will not be uploaded in the background while the user is logged on. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set the schedule for background upload of a roaming user profile's registry file while user is logged on* -- GP name: *UploadHive* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
- **ADMX_UserProfiles/UserInfoAccessAction** @@ -1909,78 +638,7 @@ ADMX Info: -
- -**ADMX_UserProfiles/WaitForNetwork** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls how long Windows waits for a response from the network before logging on a user without a remote home directory and withou synchronizing roaming user profiles. This policy setting is useful for the cases in which a network might take typically longer to initialize, such as with a wireless network. - -> [!NOTE] -> Windows doesn't wait for the network if the physical network connection is not available on the computer (if the media is disconnected or the network adapter is not available). - -If you enable this policy setting, Windows waits for the network to become available up to the maximum wait time specified in this policy setting. Setting the value to zero causes Windows to proceed without waiting for the network. - -If you disable or do not configure this policy setting, Windows waits for the network for a maximum of 30 seconds. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set maximum wait time for the network if a user has a roaming user profile or remote home directory* -- GP name: *WaitForNetwork* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - -
Footnotes: From 132bc8e0fed87e9c1f0cc44af7d1f23422110396 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 2 Dec 2020 14:36:56 -0800 Subject: [PATCH 8/8] Fixed typo --- windows/client-management/mdm/policy-csp-admx-userprofiles.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index f435439049..3f00b44db1 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -389,7 +389,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile. -If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile. +If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. @@ -462,7 +462,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. -To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's latency and connection speed are determined. +To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined. This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load.