diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 3d54daff21..ab201e6028 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/23/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,8 +18,6 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
@@ -39,7 +37,6 @@ The following list shows the BitLocker configuration service provider nodes:
- ./Device/Vendor/MSFT/BitLocker
- [AllowStandardUserEncryption](#allowstandarduserencryption)
- - [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection)
- [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption)
- [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation)
- [EncryptionMethodByDriveType](#encryptionmethodbydrivetype)
@@ -148,64 +145,6 @@ To disable this policy, use the following SyncML:
-
-## AllowSuspensionOfBitLockerProtection
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection
-```
-
-
-
-
-This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
-
-> [!WARNING]
-> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
-
-The expected values for this policy are:
-
-0 = Prevent BitLocker Drive Encryption protection from being suspended.
-
-1 = This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 1 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Prevent BitLocker Drive Encryption protection from being suspended. |
-| 1 (Default) | This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection. |
-
-
-
-
-
-
-
-
## AllowWarningForOtherDiskEncryption
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index c6d82985f8..fb912358e4 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -772,52 +772,6 @@ Supported Values: String form of request ID. Example format of request ID is GUI
-
- AllowSuspensionOfBitLockerProtection
-
-
-
-
-
-
-
- 1
- This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
- Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
- The format is integer.
- The expected values for this policy are:
-
- 0 = Prevent BitLocker Drive Encryption protection from being suspended.
- 1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 99.9.99999
- 9.9
-
-
-
- 0
- Prevent BitLocker Drive Encryption protection from being suspended.
-
-
- 1
- This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
-
-
-
-
Status
diff --git a/windows/client-management/mdm/declaredconfiguration-csp.md b/windows/client-management/mdm/declaredconfiguration-csp.md
index ac422bfdcc..64297f2f14 100644
--- a/windows/client-management/mdm/declaredconfiguration-csp.md
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DeclaredConfiguration CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -110,7 +110,7 @@ The Host internal node indicates that the target of the configuration request or
-This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that need to be resolved later with additional data. The request is ready to be processed as is.
diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
index 8f17e34ba0..a60936f654 100644
--- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -80,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the D
- This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+ This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that need to be resolved later with additional data. The request is ready to be processed as is.
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index fb4186237a..ee424411b4 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -71,10 +71,12 @@ The following list shows the Defender configuration service provider nodes:
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
+ - [NetworkProtectionReputationMode](#configurationnetworkprotectionreputationmode)
- [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
- [PassiveRemediation](#configurationpassiveremediation)
- [PerformanceModeStatus](#configurationperformancemodestatus)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel)
+ - [QuickScanIncludeExclusions](#configurationquickscanincludeexclusions)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
@@ -348,7 +350,7 @@ Control whether network protection can improve performance by switching from rea
| Value | Description |
|:--|:--|
| 1 | Allow switching to asynchronous inspection. |
-| 0 (Default) | Don’t allow asynchronous inspection. |
+| 0 (Default) | Don't allow asynchronous inspection. |
@@ -464,7 +466,7 @@ Define the retention period in days of how much time the evidence data will be k
| Property name | Property value |
|:--|:--|
-| Format | `chr` (string) |
+| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-120]` |
| Default Value | 60 |
@@ -953,8 +955,8 @@ Control Device Control feature.
| Value | Description |
|:--|:--|
-| 1 | . |
-| 0 (Default) | . |
+| 1 | Device Control is enabled. |
+| 0 (Default) | Device Control is disabled. |
@@ -2186,6 +2188,46 @@ Allow managed devices to update through metered connections. Default is 0 - not
+
+### Configuration/NetworkProtectionReputationMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/NetworkProtectionReputationMode
+```
+
+
+
+
+This sets the reputation mode for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
### Configuration/OobeEnableRtpAndSigUpdate
@@ -2325,8 +2367,8 @@ This setting allows IT admins to configure performance mode in either enabled or
| Value | Description |
|:--|:--|
-| 0 (Default) | Performance mode is enabled (default). A service restart is required after changing this value. |
-| 1 | Performance mode is disabled. A service restart is required after changing this value. |
+| 0 (Default) | Performance mode is enabled (default). |
+| 1 | Performance mode is disabled. |
@@ -2388,6 +2430,55 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
+
+### Configuration/QuickScanIncludeExclusions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/QuickScanIncludeExclusions
+```
+
+
+
+
+This setting allows you to scan excluded files and directories during quick scans.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | If you set this setting to 0 or don't configure it, exclusions aren't scanned during quick scans. |
+| 1 | If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan. Exclusions that contain wildcards aren't supported and aren't scanned. |
+
+
+
+
+
+
+
+
### Configuration/RandomizeScheduleTaskTimes
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 22e2b101f9..60fd484a13 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2098,11 +2098,50 @@ The following XML file contains the device description framework (DDF) for the D
0
- Performance mode is enabled (default). A service restart is required after changing this value.
+ Performance mode is enabled (default).
1
- Performance mode is disabled. A service restart is required after changing this value.
+ Performance mode is disabled.
+
+
+
+
+
+ QuickScanIncludeExclusions
+
+
+
+
+
+
+
+ 0
+ This setting allows you to scan excluded files and directories during quick scans.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 0
+ If you set this setting to 0 or do not configure it, exclusions are not scanned during quick scans.
+
+
+ 1
+ If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan. Exclusions that contain wildcards are not supported and are not scanned.
@@ -2382,7 +2421,7 @@ The following XML file contains the device description framework (DDF) for the D
60
Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.
-
+
@@ -2432,13 +2471,11 @@ The following XML file contains the device description framework (DDF) for the D
1
-
-
+ Device Control is enabled
0
-
-
+ Device Control is disabled
@@ -2650,6 +2687,35 @@ The following XML file contains the device description framework (DDF) for the D
+
+ NetworkProtectionReputationMode
+
+
+
+
+
+
+
+ 0
+ This sets the reputation mode for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
AllowSwitchToAsyncInspection
diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md
index d8b4a5ca6e..1998989619 100644
--- a/windows/client-management/mdm/devicepreparation-csp.md
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -27,12 +27,11 @@ The following list shows the DevicePreparation configuration service provider no
- ./Device/Vendor/MSFT/DevicePreparation
- [BootstrapperAgent](#bootstrapperagent)
- - [ClassID](#bootstrapperagentclassid)
- [ExecutionContext](#bootstrapperagentexecutioncontext)
- - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
- - [MdmAgentInstalled](#mdmagentinstalled)
- [MDMProvider](#mdmprovider)
+ - [MdmAgentInstalled](#mdmprovidermdmagentinstalled)
- [Progress](#mdmproviderprogress)
+ - [RebootRequired](#mdmproviderrebootrequired)
- [PageEnabled](#pageenabled)
- [PageSettings](#pagesettings)
- [PageStatus](#pagestatus)
@@ -55,7 +54,7 @@ The following list shows the DevicePreparation configuration service provider no
-The subnodes configure settings for the Bootstrapper Agent.
+Parent node for configuring agent that orchestrates provisioning and communicate status to Device Preparation page.
@@ -77,45 +76,6 @@ The subnodes configure settings for the Bootstrapper Agent.
-
-### BootstrapperAgent/ClassID
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/ClassID
-```
-
-
-
-
-This node stores the class ID for the Bootstrapper Agent WinRT object.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Get, Replace |
-
-
-
-
-
-
-
-
### BootstrapperAgent/ExecutionContext
@@ -155,85 +115,6 @@ This node holds opaque data that will be passed to the Bootstrapper Agent as a p
-
-### BootstrapperAgent/InstallationStatusUri
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/InstallationStatusUri
-```
-
-
-
-
-This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Get, Replace |
-
-
-
-
-
-
-
-
-
-## MdmAgentInstalled
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled
-```
-
-
-
-
-This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `bool` |
-| Access Type | Get, Replace |
-| Default Value | false |
-
-
-
-
-
-
-
-
## MDMProvider
@@ -251,7 +132,7 @@ This node indicates whether the MDM agent was installed or not. When set to true
-The subnode configures the settings for the MDMProvider.
+Parent node for configuring the MDM provider that interacts with the BootstrapperAgent.
@@ -273,6 +154,46 @@ The subnode configures the settings for the MDMProvider.
+
+### MDMProvider/MdmAgentInstalled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/MDMProvider/MdmAgentInstalled
+```
+
+
+
+
+This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+
+
+
+
+
### MDMProvider/Progress
@@ -290,7 +211,7 @@ The subnode configures the settings for the MDMProvider.
-Node for reporting progress status as opaque data.
+Node for reporting progress status as opaque data. Contract for data is between the server and EMM agent that reads the data.
@@ -303,7 +224,7 @@ Node for reporting progress status as opaque data.
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
-| Access Type | Get, Replace |
+| Access Type | Add, Delete, Get, Replace |
@@ -312,6 +233,46 @@ Node for reporting progress status as opaque data.
+
+### MDMProvider/RebootRequired
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/MDMProvider/RebootRequired
+```
+
+
+
+
+This node indicates whether an MDM policy was provisioned that requires a reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Get |
+| Default Value | False |
+
+
+
+
+
+
+
+
## PageEnabled
@@ -329,7 +290,7 @@ Node for reporting progress status as opaque data.
-This node determines whether to enable or show the Device Preparation page.
+This node determines whether to show the Device Preparation page during OOBE.
@@ -346,15 +307,6 @@ This node determines whether to enable or show the Device Preparation page.
| Default Value | false |
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| false (Default) | The page isn't enabled. |
-| true | The page is enabled. |
-
-
@@ -378,7 +330,7 @@ This node determines whether to enable or show the Device Preparation page.
-This node configures specific settings for the Device Preparation page.
+This node configures the Device Preparation page settings.
@@ -417,7 +369,7 @@ This node configures specific settings for the Device Preparation page.
-This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
+This node provides status of the Device Preparation page.
@@ -441,8 +393,8 @@ This node provides status of the Device Preparation page. Values are an enum: 0
| 0 | Disabled. |
| 1 | Enabled. |
| 2 | InProgress. |
-| 3 | Succeeded. |
-| 4 | Failed. |
+| 3 | ExitOnSuccess. |
+| 4 | ExitOnFailure. |
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index 4f948ac7b5..ed2c59bec4 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -31,7 +31,7 @@ The following XML file contains the device description framework (DDF) for the D
- Parent node for the CSP.
+ Parent node for configuring the Device Preparation page in OOBE settings and configuring
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the D
-
+
99.9.99999
@@ -58,7 +58,7 @@ The following XML file contains the device description framework (DDF) for the D
false
- This node determines whether to enable or show the Device Preparation page.
+ This node determines whether to show the Device Preparation page during OOBE.
@@ -71,16 +71,6 @@ The following XML file contains the device description framework (DDF) for the D
-
-
- false
- The page is not enabled
-
-
- true
- The page is enabled
-
-
@@ -90,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the D
- This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
+ This node provides status of the Device Preparation page.
@@ -118,11 +108,11 @@ The following XML file contains the device description framework (DDF) for the D
3
- Succeeded
+ ExitOnSuccess
4
- Failed
+ ExitOnFailure
@@ -134,7 +124,7 @@ The following XML file contains the device description framework (DDF) for the D
- This node configures specific settings for the Device Preparation page.
+ This node configures the Device Preparation page settings.
@@ -147,7 +137,8 @@ The following XML file contains the device description framework (DDF) for the D
-
+
+ {"AgentDownloadTimeoutSeconds": 900, "PageTimeoutSeconds": 3600, "ErrorMessage": "This is an error message.", "AllowSkipOnFailure": true, "AllowDiagnostics": true }
@@ -157,7 +148,7 @@ The following XML file contains the device description framework (DDF) for the D
- The subnodes configure settings for the Bootstrapper Agent.
+ Parent node for configuring agent that orchestrage provioning and communicate status to Device Preparation page.
@@ -171,30 +162,6 @@ The following XML file contains the device description framework (DDF) for the D
-
- ClassID
-
-
-
-
-
- This node stores the class ID for the Bootstrapper Agent WinRT object.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
ExecutionContext
@@ -215,32 +182,6 @@ The following XML file contains the device description framework (DDF) for the D
-
-
-
-
-
- InstallationStatusUri
-
-
-
-
-
- This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -250,7 +191,7 @@ The following XML file contains the device description framework (DDF) for the D
- The subnode configures the settings for the MDMProvider.
+ Parent node for configuring the MDM provider that interacts with the BootstrapperAgent.
@@ -268,10 +209,12 @@ The following XML file contains the device description framework (DDF) for the D
Progress
+
+
- Noode for reporting progress status as opaque data.
+ Node for reporting progress status as opaque data. Contract for data is between the server and EMM agent that reads the data.
@@ -286,29 +229,51 @@ The following XML file contains the device description framework (DDF) for the D
-
-
- MdmAgentInstalled
-
-
-
-
-
- false
- This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+ MdmAgentInstalled
+
+
+
+
+
+ False
+ This node indicates whether the mdm agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RebootRequired
+
+
+
+
+ False
+ This node indicates whether an MDM policy was provisioned that requires a reboot.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 5a4154759f..91624a95d6 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DMAcc CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -751,7 +751,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types
-Specifies the application identifier for the OMA DM account.. The only supported value is w7.
+Specifies the application identifier for the OMA DM account. The only supported value is w7.
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 30b1bd5f6a..e1447e368b 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/24/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -4576,7 +4576,7 @@ This node, when doing a get, tells the server if the "First Syncs" are done and
| Value | Description |
|:--|:--|
-| false | The user isn't finished provisioning. |
+| false | The user hasn't finished provisioning. |
| true | The user has finished provisioning. |
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index f47fafa391..8ab416c84b 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -341,11 +341,11 @@ The following XML file contains the device description framework (DDF) for the D
false
- The user is not finished provisioning
+ The user has not finished provisioning
true
- The user has finished provisoining.
+ The user has finished provisioning.
@@ -381,7 +381,7 @@ The following XML file contains the device description framework (DDF) for the D
2
- Provisoining is in progress.
+ Provisioning is in progress.
@@ -1264,7 +1264,7 @@ The following XML file contains the device description framework (DDF) for the D
2
- Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer toekn).
+ Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer token).
4
@@ -2020,7 +2020,7 @@ The following XML file contains the device description framework (DDF) for the D
true
- The device has finished provisoining.
+ The device has finished provisioning.
@@ -2056,7 +2056,7 @@ The following XML file contains the device description framework (DDF) for the D
2
- Provisoining is in progress.
+ Provisioning is in progress.
@@ -2679,7 +2679,7 @@ The following XML file contains the device description framework (DDF) for the D
- Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an rmpty string with S_OK.
+ Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an empty string with S_OK.
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 6bfcf539e2..9fb784e982 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2151,7 +2151,7 @@ When setting this field in a firewall rule, the protocol field must also be set,
Specifies the list of authorized local users for the app container.
-This is a string in Security Descriptor Definition Language (SDDL) format\.
+This is a string in Security Descriptor Definition Language (SDDL) format.
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 29e995b12d..14c84143e8 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -253,8 +253,8 @@ Don't start Windows Hello provisioning after sign-in.
| Value | Description |
|:--|:--|
-| false (Default) | Disabled. |
-| true | Enabled. |
+| false (Default) | Post Logon Provisioning Enabled. |
+| true | Post Logon Provisioning Disabled. |
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 6cfc4fabfc..fa9e278d82 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -883,11 +883,11 @@ If you disable or do not configure this policy setting, the PIN recovery secret
false
- Disabled
+ Post Logon Provisioning Enabled
true
- Enabled
+ Post Logon Provisioning Disabled
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index bc9ea26ab4..8ca51cb2f9 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2145,6 +2145,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [EnableAllowedSources](policy-csp-desktopappinstaller.md)
- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
+- [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md)
## DeviceInstallation
@@ -2475,11 +2476,12 @@ This article lists the ADMX-backed policies in Policy CSP.
## MSSecurityGuide
- [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md)
-- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
- [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md)
+- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
- [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md)
-- [WDigestAuthentication](policy-csp-mssecurityguide.md)
+- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md)
- [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md)
+- [WDigestAuthentication](policy-csp-mssecurityguide.md)
## MSSLegacy
@@ -2530,6 +2532,8 @@ This article lists the ADMX-backed policies in Policy CSP.
## RemoteDesktopServices
+- [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md)
+- [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md)
- [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md)
- [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md)
- [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index a1d5758c14..aec0cd363b 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -691,8 +691,24 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## SystemServices
+- [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md)
+- [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md)
@@ -829,6 +845,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [LogOnAsService](policy-csp-userrights.md)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md)
- [DenyLogOnAsService](policy-csp-userrights.md)
+- [AdjustMemoryQuotasForProcess](policy-csp-userrights.md)
+- [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md)
## VirtualizationBasedTechnology
@@ -895,6 +913,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowVideoInput](policy-csp-windowssandbox.md)
- [AllowPrinterRedirection](policy-csp-windowssandbox.md)
- [AllowClipboardRedirection](policy-csp-windowssandbox.md)
+- [AllowMappedFolders](policy-csp-windowssandbox.md)
+- [AllowWriteToMappedFolders](policy-csp-windowssandbox.md)
## WirelessDisplay
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md
index 16a23bf7bf..e7ea263655 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlog.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventLog Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -955,9 +955,9 @@ This policy setting controls Event Log behavior when the log file reaches its ma
This policy setting turns on logging.
-If you enable or don't configure this policy setting, then events can be written to this log.
+- If you enable or don't configure this policy setting, then events can be written to this log.
-If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
+- If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index f462eeaba0..2ed270ebf6 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -838,7 +838,7 @@ Microsoft Defender Antivirus automatically determines which applications should
Enabled:
-Specify additional allowed applications in the Options section..
+Specify additional allowed applications in the Options section.
Disabled:
@@ -1283,12 +1283,12 @@ This policy, if defined, will prevent antimalware from using the configured prox
This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
-2. Proxy .pac URL (if specified)
+1. Proxy .pac URL (if specified)
-3. None
-4. Internet Explorer proxy settings.
+1. None
+1. Internet Explorer proxy settings.
-5. Autodetect.
+1. Autodetect.
- If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above.
@@ -1349,12 +1349,12 @@ This policy setting defines the URL of a proxy .pac file that should be used whe
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
-2. Proxy .pac URL (if specified)
+1. Proxy .pac URL (if specified)
-3. None
-4. Internet Explorer proxy settings.
+1. None
+1. Internet Explorer proxy settings.
-5. Autodetect.
+1. Autodetect.
- If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either https:// or https://.
diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md
index d4bedbcaf2..881922d5e8 100644
--- a/windows/client-management/mdm/policy-csp-admx-msi.md
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -668,11 +668,13 @@ Also, see the "Enable user to patch elevated products" policy setting.
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
-If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
+- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
-This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
+This policy setting appears in the Computer Configuration and User Configuration folders.
+
+- If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
@@ -729,11 +731,13 @@ This policy setting appears in the Computer Configuration and User Configuration
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
-If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
+- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
-This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
+This policy setting appears in the Computer Configuration and User Configuration folders.
+
+- If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index 35907c1d3b..62d426d98e 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_nca Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -53,9 +53,9 @@ Important.
At least one of the entries must be a PING: resource.
-- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
+- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
-- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
+- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
You must configure this setting to have complete NCA functionality.
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index b0ed275af0..6fe146e767 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/23/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1939,7 +1939,7 @@ Reminder balloons appear when the user's connection to a network file is lost or
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
> [!TIP]
-> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
+> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every .. minutes" option.
@@ -2002,7 +2002,7 @@ Reminder balloons appear when the user's connection to a network file is lost or
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
> [!TIP]
-> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
+> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every .. minutes" option.
diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
index 7195e4fc98..b485aeaea3 100644
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Securitycenter Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -48,14 +48,6 @@ Note that Security Center can only be turned off for computers that are joined t
- If you enable this policy setting, Security Center is turned on for all users.
- If you disable this policy setting, Security Center is turned off for domain members.
-
-Windows XP SP2
-----------------------
-In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers.
-
-Windows Vista
----------------------
-In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers don't require a reboot for this policy setting to take effect.
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index d804a847a8..d7950d1ff0 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/24/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1362,13 +1362,13 @@ You can use this policy setting to set a limit on the color depth of any connect
Note:
-1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
+1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
-2. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
+1. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
-3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
+1. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
-a. Value specified by this policy setting b. Maximum color depth supported by the client c. Value requested by the client.
+a. Value specified by this policy setting b. Maximum color depth supported by the client c. Value requested by the client.
If the client doesn't support at least 16 bits, the connection is terminated.
@@ -2130,19 +2130,19 @@ To allow users to overwrite the "Set RD Gateway server address" policy setting a
This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server.
-If the policy setting is enabled, the RD Session Host server joins the farm that's specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that's specified in the Configure RD Connection Broker server name policy setting.
+- If the policy setting is enabled, the RD Session Host server joins the farm that's specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that's specified in the Configure RD Connection Broker server name policy setting.
-- If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed. If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
+- If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed.
+
+- If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
If the policy setting isn't configured, the policy setting isn't specified at the Group Policy level.
Note:
-1.
+1. - If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
-- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
-
-2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
+1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
@@ -2330,7 +2330,7 @@ This policy setting allows you to specify the order in which an RD Session Host
1. Remote Desktop license servers that are published in Active Directory Domain Services.
-2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
+1. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
- If you disable or don't configure this policy setting, the RD Session Host server doesn't specify a license server at the Group Policy level.
@@ -3074,13 +3074,13 @@ By default, when a new user signs in to a computer, the Start screen is shown an
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
-2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
+1. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
-3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
+1. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
-4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
+1. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
-5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
+1. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
@@ -3141,13 +3141,13 @@ By default, when a new user signs in to a computer, the Start screen is shown an
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
-2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
+1. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
-3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
+1. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
-4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
+1. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
-5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
+1. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
@@ -3275,7 +3275,7 @@ Note:
1. This policy setting isn't effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy.
-2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
+1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
@@ -3404,9 +3404,9 @@ Note:
1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
-2. This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled.
+1. This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled.
-3. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers.
+1. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers.
@@ -4075,9 +4075,9 @@ This policy setting allows the administrator to configure the RemoteFX experienc
- If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
1. Let the system choose the experience for the network condition
-2. Optimize for server scalability.
+1. Optimize for server scalability.
-3. Optimize for minimum bandwidth usage.
+1. Optimize for minimum bandwidth usage.
- If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition".
@@ -5677,7 +5677,7 @@ Note:
1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session.
-2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
+1. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 7796c7da9d..f51f27e3ee 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -158,7 +158,7 @@ To create the SyncML, follow these steps:
This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
-Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.
+Enabling this policy setting enables web-to-app linking so that apps can be launched with an http(s) URI.
Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 16d4f87720..c6cf0c0b0b 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1044,7 +1044,7 @@ To verify AllowPasswordManager is set to 0 (not allowed):
-This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on..
+This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
- If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.
@@ -3530,7 +3530,7 @@ Don't enable both this setting and the Keep favorites in sync between Internet E
|:--|:--|
| Name | ConfiguredFavorites |
| Friendly Name | Provision Favorites |
-| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.
URL can be specified as.
1. HTTP location: https://localhost:8080/URLs.html
2. Local network: \\network\shares\URLs.html.
3. Local file: file:///c:\\Users\\``\\Documents\\URLs.html or C:\\Users\\``\\Documents\\URLs.html. |
+| Element Name | ConfiguredFavoritesPrompt |
| Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites |
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 36aeeec980..bca45399aa 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/23/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1350,7 +1350,7 @@ Microsoft Defender Antivirus automatically determines which applications should
Enabled:
-Specify additional allowed applications in the Options section..
+Specify additional allowed applications in the Options section.
Disabled:
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index c8b37170cf..5e4f2838af 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1697,8 +1697,8 @@ This policy allows an IT Admin to define the following details:
-
-This policy allows you to set one or more keywords used to recognize VPN connections.
+
+This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
@@ -1721,8 +1721,12 @@ This policy allows you to set one or more keywords used to recognize VPN connect
| Name | Value |
|:--|:--|
| Name | VpnKeywords |
-| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat |
-| Element Name | VpnKeywords |
+| Friendly Name | VPN Keywords |
+| Element Name | VPN Keywords. |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index 700a225113..e0c33829f6 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -775,6 +775,56 @@ The settings are stored inside of a .json file on the user’s system. It may be
+
+## EnableWindowsPackageManagerConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerConfiguration
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableWindowsPackageManagerConfiguration |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
## SourceAutoUpdateInterval
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index dcf5e542ca..601453f34d 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -365,26 +365,26 @@ Device instance IDs > Device IDs > Device setup class > Removable devices.
Device instance IDs.
1. Prevent installation of devices using drivers that match these device instance IDs
-2. Allow installation of devices using drivers that match these device instance IDs.
+1. Allow installation of devices using drivers that match these device instance IDs.
Device IDs.
-3. Prevent installation of devices using drivers that match these device IDs
-4. Allow installation of devices using drivers that match these device IDs.
+1. Prevent installation of devices using drivers that match these device IDs
+1. Allow installation of devices using drivers that match these device IDs.
Device setup class.
-5. Prevent installation of devices using drivers that match these device setup classes
-6. Allow installation of devices using drivers that match these device setup classes.
+1. Prevent installation of devices using drivers that match these device setup classes
+1. Allow installation of devices using drivers that match these device setup classes.
Removable devices.
-7. Prevent installation of removable devices.
+1. Prevent installation of removable devices.
> [!NOTE]
> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
-If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..". policy settings have precedence over any other policy setting that allows Windows to install a device.
+If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation.". policy settings have precedence over any other policy setting that allows Windows to install a device.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index f3317c93af..3edee263b1 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -4132,7 +4132,7 @@ User Account Control: Only elevate executable files that are signed and validate
-User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ - ...\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
+User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ..\Program Files\, including subfolders - ..\Windows\system32\ - ..\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index eaf592f322..9d94c49836 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -4,7 +4,7 @@ description: Learn more about the MSSecurityGuide Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -222,6 +222,56 @@ ms.topic: reference
+
+## NetBTNodeTypeConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/NetBTNodeTypeConfiguration
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_SecGuide_0050_NetbtNodeTypeConfig |
+| ADMX File Name | SecGuide.admx |
+
+
+
+
+
+
+
+
## TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index dd8a3fc532..a2eceff277 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -4,7 +4,7 @@ description: Learn more about the RemoteDesktopServices Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -338,6 +340,114 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
+
+## LimitClientToServerClipboardRedirection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
+| ADMX File Name | terminalserver.admx |
+
+
+
+
+
+
+
+
+
+## LimitServerToClientClipboardRedirection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
+| ADMX File Name | terminalserver.admx |
+
+
+
+
+
+
+
+
## PromptForPasswordUponConnection
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 0d0a105c89..22ff8ce8ea 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -4,7 +4,7 @@ description: Learn more about the System Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -118,7 +118,7 @@ AllowCommercialDataPipeline configures a Microsoft Entra joined device so that M
To enable this behavior:
1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
@@ -198,10 +198,10 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior:
1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher
-4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
+1. Set Allow Telemetry to value 1 - Required, or higher
+1. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -762,10 +762,10 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior:
1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher
-4. Set the Configure the Commercial ID setting for your Update Compliance workspace.
+1. Set Allow Telemetry to value 1 - Required, or higher
+1. Set the Configure the Commercial ID setting for your Update Compliance workspace.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -889,9 +889,9 @@ This policy setting configures a Microsoft Entra joined device so that Microsoft
To enable this behavior:
1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher.
+1. Set Allow Telemetry to value 1 - Required, or higher.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -1999,10 +1999,10 @@ This policy setting, in combination with the "Allow Diagnostic Data" policy sett
To enable the behavior described above, complete the following steps:
1. Enable this policy setting
-2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".
+1. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".
-3. Enable the "Limit Dump Collection" policy
-4. Enable the "Limit Diagnostic Log Collection" policy.
+1. Enable the "Limit Dump Collection" policy
+1. Enable the "Limit Diagnostic Log Collection" policy.
When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at< https://go.microsoft.com/fwlink/?linkid=2116020>.
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 1ba198008c..b0e97a7454 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -4,7 +4,7 @@ description: Learn more about the SystemServices Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -20,6 +20,56 @@ ms.topic: reference
+
+## ConfigureComputerBrowserServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureComputerBrowserServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Computer Browser |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
## ConfigureHomeGroupListenerServiceStartupMode
@@ -120,6 +170,756 @@ This setting determines whether the service's start type is Automatic(2), Manual
+
+## ConfigureIISAdminServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureIISAdminServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IIS Admin Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureInfraredMonitorServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInfraredMonitorServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Infrared Monitor Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureInternetConnectionSharingServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInternetConnectionSharingServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Internet Connection Sharing (ICS) |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureLxssManagerServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureLxssManagerServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LxssManager |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureMicrosoftFTPServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Microsoft FTP Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureRemoteProcedureCallLocatorServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCallLocatorServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Remote Procedure Call (RPC) Locator |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureRoutingAndRemoteAccessServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAccessServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Routing and Remote Access |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureSimpleTCPIPServicesStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSimpleTCPIPServicesStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Simple TCP/IP Services |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureSpecialAdministrationConsoleHelperServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSpecialAdministrationConsoleHelperServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Special Administration Console Helper |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureSSDPDiscoveryServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SSDP Discovery |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureUPnPDeviceHostServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | UPnP Device Host |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureWebManagementServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWebManagementServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Web Management Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Windows Media Player Network Sharing Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureWindowsMobileHotspotServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotspotServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Windows Mobile Hotspot Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureWorldWideWebPublishingServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublishingServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | World Wide Web Publishing Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
## ConfigureXboxAccessoryManagementServiceStartupMode
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 05a793d534..96e90c4433 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -4,7 +4,7 @@ description: Learn more about the Troubleshooting Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -61,15 +61,15 @@ After setting this policy, you can use the following instructions to check devic
rem The following batch script triggers Recommended Troubleshooting schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner".
-2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
+1. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
-3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
+1. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
-4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
+1. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
-5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
+1. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
-6. Configure the task to deploy to your domain.
+1. Configure the task to deploy to your domain.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 9c9630b5ac..5232cbd5a3 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -292,8 +292,16 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
-
+
This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
+
+When the policy is configured.
+
+- If "Automatically receive optional updates (including CFRs)" is selected, the device will get the latest optional updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).
+
+- If "Automatically receive optional updates" is selected, the device will only get optional cumulative updates automatically, in line with the quality update deferrals.
+
+- If "Users can select which optional updates to receive" is selected, users can select which optional updates to get by visiting Settings > Windows Update > Advanced options > Optional updates. Users can also enable the toggle "Get the latest updates as soon as they're available" to automatically receive optional updates and gradual feature rollouts.
@@ -327,7 +335,12 @@ This policy enables devices to get optional updates (including gradual feature r
| Name | Value |
|:--|:--|
| Name | AllowOptionalContent |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
+| Friendly Name | Enable optional updates |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
+| Registry Value Name | SetAllowOptionalContent |
+| ADMX File Name | WindowsUpdate.admx |
@@ -1958,7 +1971,7 @@ If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
@@ -2085,7 +2098,7 @@ If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
@@ -3599,7 +3612,7 @@ Enabling either of the following two policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
@@ -3664,7 +3677,7 @@ Enabling either of the following two policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
@@ -4083,9 +4096,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4153,9 +4166,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4223,9 +4236,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4293,9 +4306,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4363,9 +4376,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4433,9 +4446,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index e323789f73..39a023b122 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -259,6 +259,55 @@ This user right allows a process to impersonate any user without authentication.
+
+## AdjustMemoryQuotasForProcess
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/UserRights/AdjustMemoryQuotasForProcess
+```
+
+
+
+
+Adjust memory quotas for a process - This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `0xF000`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Adjust memory quotas for a process |
+| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
+
+
+
+
+
+
+
+
## AllowLocalLogOn
@@ -311,6 +360,55 @@ This user right determines which users can log on to the computer.
+
+## AllowLogOnThroughRemoteDesktop
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLogOnThroughRemoteDesktop
+```
+
+
+
+
+Allow log on through Remote Desktop Services - This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `0xF000`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Allow log on through Remote Desktop Services |
+| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
+
+
+
+
+
+
+
+
## BackupFilesAndDirectories
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index a5834287ac..e415fba8e2 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,8 +16,6 @@ ms.topic: reference
# Policy CSP - WebThreatDefense
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
> [!NOTE]
@@ -30,7 +28,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 23H2 [10.0.22631] and later |
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 5d7b09569f..bf5ad5e22a 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsAI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,8 +16,6 @@ ms.topic: reference
# Policy CSP - WindowsAI
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -28,7 +26,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25929.1000] |
+| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2360] and later
✅ Windows 11, version 23H2 [10.0.22631] and later |
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index 49f808e7e0..be6709c49c 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsSandbox Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,6 +16,8 @@ ms.topic: reference
# Policy CSP - WindowsSandbox
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -148,6 +150,56 @@ This policy setting enables or disables clipboard sharing with the sandbox.
+
+## AllowMappedFolders
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders
+```
+
+
+
+
+Allow mapping folders into Windows Sandbox.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowMappedFolders |
+| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
+
+
+
+
+
+
+
+
## AllowNetworking
@@ -406,6 +458,57 @@ Note that there may be security implications of exposing host video input to the
+
+## AllowWriteToMappedFolders
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowWriteToMappedFolders
+```
+
+
+
+
+Allow Sandbox to write to mapped folders.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+| Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowWriteToMappedFolders |
+| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
+
+
+
+
+
+
+
+