deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-5494946-B3

Browse Source
This commit is contained in:
Siddarth Mandalika
2021-10-27 16:00:05 +05:30
parent 579a2944fd 76234e0917
commit 726464d5e2
7 changed files with 78 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/client-management/mdm/policy-csp-settings.md
View File

@ -927,18 +927,18 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons.
Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For additional information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
showonly:about;bluetooth
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (that is, treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
- There are two variants: one that shows only the given pages and one which hides the given pages.
- There are two variants: one that shows only the given pages and one that hides the given pages.
- The first variant starts with the string "showonly:" and the second with the string "hide:".
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
@ -964,7 +964,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--Validation-->
To validate on Desktop, do the following:
To validate on Desktop, use the following steps:
1. Open System Settings and verify that the About page is visible and accessible.
2. Configure the policy with the following string: "hide:about".

8
windows/configuration/cortana-at-work/cortana-at-work-overview.md
View File

@ -17,7 +17,7 @@ ms.author: greglin
Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
## Where is Cortana available for use in my organization?
@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
| Software | Minimum version |
|---------|---------|
|Client operating system | Desktop: <br> - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Client operating system | - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
@ -51,7 +51,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later, or Windows 11
Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, or Windows 11, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
@ -77,7 +77,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user&#39;s PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user&#39;s PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.

102
windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
View File

@ -7,46 +7,78 @@ ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
>[!NOTE]
>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics.
For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
- **Allow Cortana**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`
- **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)
- **Description**: Specifies if users can use Cortana.
|**Group policy** |**MDM policy** |**Description** |
|---------|---------|---------|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana. <br>
> [!IMPORTANT]
> Cortana wont work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. |
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked. <br>
> [!NOTE]
> Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently support Above Lock. |
|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”). <br>
> [!NOTE]
> This setting only applies to Windows 10 versions 2004 and later, or Windows 11. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortanas access to the microphone. To do so, specify Cortanas Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe <br>
Users will still be able to type queries to Cortana. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization. <br>
**In Windows 10, version 1511** <br> Cortana wont work if this setting is turned off (disabled). <br> **In Windows 10, version 1607 and later** <br> Non-speech aspects of Cortana will still work if this setting is turned off (disabled). <br> **In Windows 10, version 2004 and later** <br> Cortana will work, but voice input will be disabled. |
|None |System/AllowLocation |Specifies whether to allow app access to the Location service. <br>
**In Windows 10, version 1511** <br> Cortana wont work if this setting is turned off (disabled). <br>
**In Windows 10, version 1607 and later** <br>
Cortana still works if this setting is turned off (disabled). <br>
**In Windows 10, version 2004 and later** <br>
Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently use the Location service. |
|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. <br>
Disable this setting if you only want to allow users to sign in with their Azure AD account. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. <br>
**In Windows 10, version 2004 and later** <br> Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, do not currently use the Location service. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search. <br>
**In Windows 10 Pro edition** <br> This setting cant be managed.<br>
**In Windows 10 Enterprise edition** <br> Cortana won't work if this setting is turned off (disabled).<br>
**In Windows 10, version 2004 and later** <br> This setting no longer affects Cortana. <br> |
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required. <br>
> [!NOTE]
> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
Cortana wont work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off.
- **AllowCortanaAboveLock**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock`
- **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock)
- **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked.
This setting:
- Doesn't apply to Windows 10, versions 2004 and later
- Doesn't apply to Windows 11
- **LetAppsActivateWithVoice**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice`
- **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice)
- **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”.
This setting applies to:
- Windows 10 versions 2004 and later
- Windows 11
To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization).
- **LetAppsAccessMicrophone**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone`
- **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps)
- **Description**: Disables Cortanas access to the microphone. To use this setting, enter Cortanas Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana.
- **Allow users to enable online speech recognition services**
- **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services`
- **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization)
- **Description**: Specifies whether users can use voice commands with Cortana in your organization.
- **Windows 10, version 1511**: Cortana wont work if this setting is turned off (disabled).
- **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled.
- **AllowLocation**
- **Group policy**: None
- **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation)
- **Description**: Specifies whether to allow app access to the Location service.
- **Windows 10, version 1511**: Cortana wont work if this setting is turned off (disabled).
- **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service.
- **AllowMicrosoftAccountConnection**
- **Group policy**: None
- **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
- **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
- **Allow search and Cortana to use location**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
- **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation)
- **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service.
- **Don't search the web or display web results**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`
- **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults)
- **Description**: Specifies if search can do queries on the web, and if the web results are shown in search.
- **Windows 10 Pro edition**: This setting cant be managed.
- **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: This setting no longer impacts Cortana.

BIN
windows/configuration/cortana-at-work/images/screenshot1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 MiB

BIN
windows/configuration/cortana-at-work/images/screenshot2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

5
windows/configuration/lockdown-features-windows-10.md
View File

@ -13,14 +13,13 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Lockdown features from Windows Embedded 8.1 Industry
**Applies to**
- Windows 10
- Windows 10
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
@ -90,7 +89,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
<td align="left">MDM and Group Policy</td>
<td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
<p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Removable storage</strong>.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="/previous-versions/windows/embedded/dn449303(v=winembedded.82)" data-raw-source="[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82))">Assigned Access</a>: launch a UWP app on sign-in and lock access to system</p></td>

2
windows/security/security-foundations.md
View File

@ -24,7 +24,7 @@ Use the links in the following table to learn more about the security foundation
| Concept | Description |
|:---|:---|
| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. <br/><br/>Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. <br/><br/>Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products. <br/><br/>Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). |
| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.<br/><br/>Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).|
| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.<br/><br/>Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). |