deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-22 10:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into tvm-exceptions-for-rbac

Browse Source
This commit is contained in:
Beth Levin 2020-10-05 12:38:18 -07:00
commit 73f95fb2a9
191 changed files with 14608 additions and 1309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.openpublishing.redirection.json
View File

@ -148,7 +148,7 @@
{
"source_path": "windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md",
"redirect_url": "https://docs.microsoft.com/microsoft-365/security/mtp/top-scoring-industry-tests",
"redirect_document_id": true
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md",
@ -15533,7 +15533,7 @@
{
"source_path": "education/get-started/change-history-ms-edu-get-started.md",
"redirect_url": "https://docs.microsoft.com/microsoft-365/education/deploy",
"redirect_document_id": true
"redirect_document_id": false
},
{
"source_path": "education/get-started/get-started-with-microsoft-education.md",
@ -16439,6 +16439,11 @@
"source_path": "windows/deployment/windows-autopilot/windows-autopilot.md",
"redirect_url": "https://docs.microsoft.com/mem/autopilot/windows-autopilot",
"redirect_document_id": true
},
{
"source_path": "windows/hub/windows-10.yml",
"redirect_url": "https://docs.microsoft.com/windows/windows-10",
"redirect_document_id": false
}
]
}

1
smb/docfx.json
View File

@ -30,6 +30,7 @@
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {

3
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -32,7 +32,7 @@ From its release, Windows 10 has supported remote connections to PCs joined to A
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined if using Windows 10 version 1607 and above, or Azure AD registered if using Windows 10 version 2004 and above. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
@ -99,4 +99,3 @@ In organizations using only Azure AD, you can connect from an Azure AD-joined PC
## Related topics
[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)

15
windows/client-management/mdm/TOC.md
View File

@ -193,6 +193,21 @@
#### [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md)
#### [ADMX_MMC](policy-csp-admx-mmc.md)
#### [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md)
#### [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md)
#### [ADMX_nca](policy-csp-admx-nca.md)
#### [ADMX_NCSI](policy-csp-admx-ncsi.md)
#### [ADMX_Netlogon](policy-csp-admx-netlogon.md)
#### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md)
#### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md)
#### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md)
#### [ADMX_Reliability](policy-csp-admx-reliability.md)
#### [ADMX_Scripts](policy-csp-admx-scripts.md)
#### [ADMX_sdiageng](policy-csp-admx-sdiageng.md)
#### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md)
#### [ADMX_Servicing](policy-csp-admx-servicing.md)
#### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md)
#### [ADMX_Sharing](policy-csp-admx-sharing.md)
#### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md)
#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
#### [ApplicationManagement](policy-csp-applicationmanagement.md)
#### [AppRuntime](policy-csp-appruntime.md)

14
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -1557,13 +1557,13 @@ Additional lists:
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>

16
windows/client-management/mdm/healthattestation-csp.md
View File

@ -74,7 +74,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<strong>DHA-Enabled MDM (Device HealthAttestation enabled device management solution)</strong>
<p style="margin-left: 20px">Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.</p>
<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromized by advanced security threats or running a malicious (jailbroken) operating system.</p>
<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.</p>
<p style="margin-left: 20px">The following list of operations are performed by DHA-Enabled-MDM:</p>
<ul>
<li>Enables the DHA feature on a DHA-Enabled device</li>
@ -195,10 +195,10 @@ The following diagram shows the Device HealthAttestation configuration service p
<p style="margin-left: 20px">The following list shows some examples of supported values. For the complete list of status see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
- 0 - (HEALTHATTESTATION\_CERT\_RETRI_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRI_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
- 3 - (HEALTHATTESTATION\_CERT\_RETRI_COMPLETE): DHA-Data is ready for pick up
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
<a href="" id="forceretrieve"></a>**ForceRetrieve** (Optional)
<p style="margin-left: 20px">Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</p>
@ -220,7 +220,7 @@ The following diagram shows the Device HealthAttestation configuration service p
<a href="" id="correlationid"></a>**CorrelationId** (Required)
<p style="margin-left: 20px">Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.</p>
<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximun value is 2,147,483,647. The supported operation is Get.</p>
<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.</p>
<a href="" id="hasendpoint"></a>**HASEndpoint** (Optional)
<p style="margin-left: 20px">Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.</p>
@ -359,8 +359,8 @@ The following example shows a sample call that triggers collection and verificat
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
- If the response is HEALTHATTESTATION\_CERT_RETRI_COMPLETE (3) then proceed to the next section.
- If the response is HEALTHATTESTATION_CERT_RETRI_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRI_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
- If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
Here is a sample alert that is issued by DHA_CSP:
@ -830,7 +830,7 @@ Each of these are described in further detail in the following sections, along w
<tr>
<td style="vertical-align:top">3</td>
<td style="vertical-align:top">HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE</td>
<td style="vertical-align:top">This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.</td>
<td style="vertical-align:top">This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.</td>
</tr>
<tr>
<td style="vertical-align:top">4</td>

2
windows/client-management/mdm/networkqospolicy-csp.md
View File

@ -25,7 +25,7 @@ The following actions are supported:
- Layer 3 tagging using a differentiated services code point (DSCP) value
> [!NOTE]
> The NetworkQoSPolicy configuration service provider is supported only in Microsoft Surface Hub.
> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
The following diagram shows the NetworkQoSPolicy configuration service provider in tree format.

1
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1996,6 +1996,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
### September 2020
|New or updated topic | Description|
|--- | ---|
|[NetworkQoSPolicy CSP](networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.|
|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:<br>- RecoveryConsole_AllowAutomaticAdministrativeLogon <br>- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways<br>- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible<br>- DomainMember_DisableMachineAccountPasswordChanges<br>- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems<br>|
### August 2020

485
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -551,6 +551,491 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### ADMX_MSAPolicy policies
<dl>
<dd>
<a href="./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth" id="admx-msapolicy-microsoftaccount-disableuserauth">ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine</a>
</dd>
<dd>
### ADMX_nca policies
<dl>
<dd>
<a href="./policy-csp-admx-nca.md#admx-nca-corporateresources" id="admx-nca-corporateresources">ADMX_nca/CorporateResources</a>
</dd>
<dd>
<a href="./policy-csp-admx-nca.md#admx-nca-customcommands" id="admx-nca-customcommands">ADMX_nca/CustomCommands</a>
</dd>
<dd>
<a href="./policy-csp-admx-nca.md#admx-nca-dtes" id="admx-nca-dtes">ADMX_nca/DTEs</a>
</dd>
<dd>
<a href="./policy-csp-admx-nca.md#admx-nca-friendlyname" id="admx-nca-friendlyname">ADMX_nca/FriendlyName</a>
</dd>
<dd>
<a href="./policy-csp-admx-nca.md#admx-nca-localnameson" id="admx-nca-localnameson">ADMX_nca/LocalNamesOn</a>
</dd>
<dd>
<a href="./policy-csp-admx-nca.md#admx-nca-passivemode" id="admx-nca-passivemode">ADMX_nca/PassiveMode</a>
</dd>
<dd>
<a href="./policy-csp-admx-nca.md#admx-nca-showui" id="admx-nca-showui">ADMX_nca/ShowUI</a>
</dd>
<dd>
<a href="./policy-csp-admx-nca.md#admx-nca-supportemail" id="admx-nca-supportemail">ADMX_nca/SupportEmail</a>
</dd>
</dl>
### ADMX_NCSI policies
<dl>
<dd>
<a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobecontent" id="admx-ncsi-ncsi-corpdnsprobecontent">ADMX_NCSI/NCSI_CorpDnsProbeContent</a>
</dd>
<dd>
<a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobehost" id="admx-ncsi-ncsi-corpdnsprobehost">ADMX_NCSI/NCSI_CorpDnsProbeHost</a>
</dd>
<dd>
<a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpsiteprefixes" id="admx-ncsi-ncsi-corpsiteprefixes">ADMX_NCSI/NCSI_CorpSitePrefixes</a>
</dd>
<dd>
<a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpwebprobeurl" id="admx-ncsi-ncsi-corpwebprobeurl">ADMX_NCSI/NCSI_CorpWebProbeUrl</a>
</dd>
<dd>
<a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-domainlocationdeterminationurl" id="admx-ncsi-ncsi-domainlocationdeterminationurl">ADMX_NCSI/NCSI_DomainLocationDeterminationUrl</a>
</dd>
<dd>
<a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-globaldns" id="admx-ncsi-ncsi-globaldns">ADMX_NCSI/NCSI_GlobalDns</a>
</dd>
<dd>
<a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-passivepolling" id="admx-ncsi-ncsi-passivepolling">ADMX_NCSI/NCSI_PassivePolling</a>
</dd>
</dl>
### ADMX_Netlogon policies
<dl>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresslookuponpingbehavior"id="admx-netlogon-netlogon-addresslookuponpingbehavior">ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresstypereturned"id="admx-netlogon-netlogon-addresstypereturned">ADMX_Netlogon/Netlogon_AddressTypeReturned</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowdnssuffixsearch"id="admx-netlogon-netlogon-allowdnssuffixsearch">ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allownt4crypto"id="admx-netlogon-netlogon-allownt4crypto">ADMX_Netlogon/Netlogon_AllowNT4Crypto</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowsinglelabeldnsdomain"id="admx-netlogon-netlogon-allowsinglelabeldnsdomain">ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-autositecoverage"id="admx-netlogon-netlogon-autositecoverage">ADMX_Netlogon/Netlogon_AutoSiteCoverage</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidfallbacknetbiosdiscovery"id="admx-netlogon-netlogon-avoidfallbacknetbiosdiscovery">ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidpdconwan"id="admx-netlogon-netlogon-avoidpdconwan">ADMX_Netlogon/Netlogon_AvoidPdcOnWan</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryinitialperiod"id="admx-netlogon-netlogon-backgroundretryinitialperiod">ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretrymaximumperiod"id="admx-netlogon-netlogon-backgroundretrymaximumperiod">ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryquittime"id="admx-netlogon-netlogon-backgroundretryquittime">ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundsuccessfulrefreshperiod"id="admx-netlogon-netlogon-backgroundsuccessfulrefreshperiod">ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-debugflag"id="admx-netlogon-netlogon-debugflag">ADMX_Netlogon/Netlogon_DebugFlag</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsavoidregisterrecords"id="admx-netlogon-netlogon-dnsavoidregisterrecords">ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsrefreshinterval"id="admx-netlogon-netlogon-dnsrefreshinterval">ADMX_Netlogon/Netlogon_DnsRefreshInterval</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnssrvrecorduselowercasehostnames"id="admx-netlogon-netlogon-dnssrvrecorduselowercasehostnames">ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsttl"id="admx-netlogon-netlogon-dnsttl">ADMX_Netlogon/Netlogon_DnsTtl</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-expecteddialupdelay"id="admx-netlogon-netlogon-expecteddialupdelay">ADMX_Netlogon/Netlogon_ExpectedDialupDelay</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-forcerediscoveryinterval"id="admx-netlogon-netlogon-forcerediscoveryinterval">ADMX_Netlogon/Netlogon_ForceRediscoveryInterval</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-gcsitecoverage"id="admx-netlogon-netlogon-gcsitecoverage">ADMX_Netlogon/Netlogon_GcSiteCoverage</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ignoreincomingmailslotmessages"id="admx-netlogon-netlogon-ignoreincomingmailslotmessages">ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvpriority"id="admx-netlogon-netlogon-ldapsrvpriority">ADMX_Netlogon/Netlogon_LdapSrvPriority</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvweight"id="admx-netlogon-netlogon-ldapsrvweight">ADMX_Netlogon/Netlogon_LdapSrvWeight</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-maximumlogfilesize"id="admx-netlogon-netlogon-maximumlogfilesize">ADMX_Netlogon/Netlogon_MaximumLogFileSize</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ndncsitecoverage"id="admx-netlogon-netlogon-ndncsitecoverage">ADMX_Netlogon/Netlogon_NdncSiteCoverage</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-negativecacheperiod"id="admx-netlogon-netlogon-negativecacheperiod">ADMX_Netlogon/Netlogon_NegativeCachePeriod</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-netlogonsharecompatibilitymode"id="admx-netlogon-netlogon-netlogonsharecompatibilitymode">ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-nonbackgroundsuccessfulrefreshperiod"id="admx-netlogon-netlogon-nonbackgroundsuccessfulrefreshperiod">ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-pingurgencymode"id="admx-netlogon-netlogon-pingurgencymode">ADMX_Netlogon/Netlogon_PingUrgencyMode</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-scavengeinterval"id="admx-netlogon-netlogon-scavengeinterval">ADMX_Netlogon/Netlogon_ScavengeInterval</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitecoverage"id="admx-netlogon-netlogon-sitecoverage">ADMX_Netlogon/Netlogon_SiteCoverage</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitename"id="admx-netlogon-netlogon-sitename">ADMX_Netlogon/Netlogon_SiteName</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode"id="admx-netlogon-netlogon-sysvolsharecompatibilitymode">ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite"id="admx-netlogon-netlogon-trynextclosestsite">ADMX_Netlogon/Netlogon_TryNextClosestSite</a>
</dd>
<dd>
<a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns"id="admx-netlogon-netlogon-usedynamicdns">ADMX_Netlogon/Netlogon_UseDynamicDns</a>
</dd>
</dl>
### ADMX_OfflineFiles policies
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders" id="admx-offlinefiles-pol-alwayspinsubfolders">ADMX_OfflineFiles/Pol_AlwaysPinSubFolders</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1" id="admx-offlinefiles-pol-assignedofflinefiles-1">ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2" id="admx-offlinefiles-pol-assignedofflinefiles-2">ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-backgroundsyncsettings" id="admx-offlinefiles-pol-backgroundsyncsettings">ADMX_OfflineFiles/Pol_BackgroundSyncSettings</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-cachesize" id="admx-offlinefiles-pol-cachesize">ADMX_OfflineFiles/Pol_CacheSize</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-1" id="admx-offlinefiles-pol-customgoofflineactions-1">ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-2" id="admx-offlinefiles-pol-customgoofflineactions-2">ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-defcachesize" id="admx-offlinefiles-pol-defcachesize">ADMX_OfflineFiles/Pol_DefCacheSize</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-enabled" id="admx-offlinefiles-pol-enabled">ADMX_OfflineFiles/Pol_Enabled</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-encryptofflinefiles" id="admx-offlinefiles-pol-encryptofflinefiles">ADMX_OfflineFiles/Pol_EncryptOfflineFiles</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-1" id="admx-offlinefiles-pol-eventlogginglevel-1">ADMX_OfflineFiles/Pol_EventLoggingLevel_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-2" id="admx-offlinefiles-pol-eventlogginglevel-2">ADMX_OfflineFiles/Pol_EventLoggingLevel_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-exclusionlistsettings" id="admx-offlinefiles-pol-exclusionlistsettings">ADMX_OfflineFiles/Pol_ExclusionListSettings</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-extexclusionlist" id="admx-offlinefiles-pol-extexclusionlist">ADMX_OfflineFiles/Pol_ExtExclusionList</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-1" id="admx-offlinefiles-pol-goofflineaction-1">ADMX_OfflineFiles/Pol_GoOfflineAction_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-2" id="admx-offlinefiles-pol-goofflineaction-2">ADMX_OfflineFiles/Pol_GoOfflineAction_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-1" id="admx-offlinefiles-pol-nocacheviewer-1">ADMX_OfflineFiles/Pol_NoCacheViewer_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-2" id="admx-offlinefiles-pol-nocacheviewer-2">ADMX_OfflineFiles/Pol_NoCacheViewer_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-1" id="admx-offlinefiles-pol-noconfigcache-1">ADMX_OfflineFiles/Pol_NoConfigCache_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-2" id="admx-offlinefiles-pol-noconfigcache-2">ADMX_OfflineFiles/Pol_NoConfigCache_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-1" id="admx-offlinefiles-pol-nomakeavailableoffline-1">ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-2" id="admx-offlinefiles-pol-nomakeavailableoffline-2">ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-1" id="admx-offlinefiles-pol-nopinfiles-1">ADMX_OfflineFiles/Pol_NoPinFiles_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-2" id="admx-offlinefiles-pol-nopinfiles-2">ADMX_OfflineFiles/Pol_NoPinFiles_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-1" id="admx-offlinefiles-pol-noreminders-1">ADMX_OfflineFiles/Pol_NoReminders_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-2" id="admx-offlinefiles-pol-noreminders-2">ADMX_OfflineFiles/Pol_NoReminders_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-onlinecachingsettings" id="admx-offlinefiles-pol-onlinecachingsettings">ADMX_OfflineFiles/Pol_OnlineCachingSettings</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-purgeatlogoff" id="admx-offlinefiles-pol-purgeatlogoff">ADMX_OfflineFiles/Pol_PurgeAtLogoff</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-quickadimpin" id="admx-offlinefiles-pol-quickadimpin">ADMX_OfflineFiles/Pol_QuickAdimPin</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-1" id="admx-offlinefiles-pol-reminderfreq-1">ADMX_OfflineFiles/Pol_ReminderFreq_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-2" id="admx-offlinefiles-pol-reminderfreq-2">ADMX_OfflineFiles/Pol_ReminderFreq_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-1" id="admx-offlinefiles-pol-reminderinittimeout-1">ADMX_OfflineFiles/Pol_ReminderInitTimeout_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-2" id="admx-offlinefiles-pol-reminderinittimeout-2">ADMX_OfflineFiles/Pol_ReminderInitTimeout_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-1" id="admx-offlinefiles-pol-remindertimeout-1">ADMX_OfflineFiles/Pol_ReminderTimeout_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-2" id="admx-offlinefiles-pol-remindertimeout-2">ADMX_OfflineFiles/Pol_ReminderTimeout_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinksettings" id="admx-offlinefiles-pol-slowlinksettings">ADMX_OfflineFiles/Pol_SlowLinkSettings</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinkspeed" id="admx-offlinefiles-pol-slowlinkspeed">ADMX_OfflineFiles/Pol_SlowLinkSpeed</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-1" id="admx-offlinefiles-pol-syncatlogoff-1">ADMX_OfflineFiles/Pol_SyncAtLogoff_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-2" id="admx-offlinefiles-pol-syncatlogoff-2">ADMX_OfflineFiles/Pol_SyncAtLogoff_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-1" id="admx-offlinefiles-pol-syncatlogon-1">ADMX_OfflineFiles/Pol_SyncAtLogon_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-2" id="admx-offlinefiles-pol-syncatlogon-2">ADMX_OfflineFiles/Pol_SyncAtLogon_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-1" id="admx-offlinefiles-pol-syncatsuspend-1">ADMX_OfflineFiles/Pol_SyncAtSuspend_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-2" id="admx-offlinefiles-pol-syncatsuspend-2">ADMX_OfflineFiles/Pol_SyncAtSuspend_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-synconcostednetwork" id="admx-offlinefiles-pol-synconcostednetwork">ADMX_OfflineFiles/Pol_SyncOnCostedNetwork</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-1" id="admx-offlinefiles-pol-workofflinedisabled-1">ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-2" id="admx-offlinefiles-pol-workofflinedisabled-2">ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2</a>
</dd>
</dl>
### ADMX_PeerToPeerCaching policies
<dl>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache" id="admx-peertopeercaching-enablewindowsbranchcache">ADMX_PeerToPeerCaching/EnableWindowsBranchCache</a>
</dd>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-distributed" id="admx-peertopeercaching-enablewindowsbranchcache-distributed">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed</a>
</dd>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hosted" id="admx-peertopeercaching-enablewindowsbranchcache-hosted">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted</a>
</dd>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery" id="admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery</a>
</dd>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers" id="admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers</a>
</dd>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-smb" id="admx-peertopeercaching-enablewindowsbranchcache-smb">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB</a>
</dd>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setcachepercent" id="admx-peertopeercaching-setcachepercent">ADMX_PeerToPeerCaching/SetCachePercent</a>
</dd>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdatacacheentrymaxage" id="admx-peertopeercaching-setdatacacheentrymaxage">ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge</a>
</dd>
<dd>
<a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdowngrading" id="admx-peertopeercaching-setdowngrading">ADMX_PeerToPeerCaching/SetDowngrading</a>
</dd>
</dl>
### ADMX_PerformanceDiagnostics policies
<dl>
<dd>
<a href="./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-1" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-1">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-2">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-3">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3</a>
</dd>
<dd>
<a href="./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-4">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4</a>
</dd>
</dl>
### ADMX_Reliability policies
<dl>
<dd>
<a href="./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp" id="admx-reliability-ee-enablepersistenttimestamp">ADMX_Reliability/EE_EnablePersistentTimeStamp</a>
</dd>
<dd>
<a href="./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents" id="admx-reliability-pch-reportshutdownevents">ADMX_Reliability/PCH_ReportShutdownEvents</a>
</dd>
<dd>
<a href="./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile" id="admx-reliability-shutdowneventtrackerstatefile">ADMX_Reliability/ShutdownEventTrackerStateFile</a>
</dd>
<dd>
<a href="./policy-csp-admx-reliability.md#admx-reliability-shutdownreason" id="admx-reliability-shutdownreason">ADMX_Reliability/ShutdownReason</a>
</dd>
</dl>
### ADMX_Scripts policies
<dl>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled" id"admx-scripts-allow-logon-script-netbiosdisabled">ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy" id="admx-scripts-maxgposcriptwaitpolicy">ADMX_Scripts/MaxGPOScriptWaitPolicy</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first" id="admx-scripts-run-computer-ps-scripts-first">ADMX_Scripts/Run_Computer_PS_Scripts_First</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-legacy-logon-script-hidden" id="admx-scripts-run-legacy-logon-script-hidden">ADMX_Scripts/Run_Legacy_Logon_Script_Hidden</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-logoff-script-visible" id="admx-scripts-run-logoff-script-visible">ADMX_Scripts/Run_Logoff_Script_Visible</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-1" id="admx-scripts-run-logon-script-sync-1">ADMX_Scripts/Run_Logon_Script_Sync_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-2" id="admx-scripts-run-logon-script-sync-2">ADMX_Scripts/Run_Logon_Script_Sync_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-visible" id="admx-scripts-run-logon-script-visible">ADMX_Scripts/Run_Logon_Script_Visible</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-shutdown-script-visible" id="admx-scripts-run-shutdown-script-visible">ADMX_Scripts/Run_Shutdown_Script_Visible</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-sync" id="admx-scripts-run-startup-script-sync">ADMX_Scripts/Run_Startup_Script_Sync</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-visible" id="admx-scripts-run-startup-script-visible">ADMX_Scripts/Run_Startup_Script_Visible</a>
</dd>
<dd>
<a href="./policy-csp-admx-scripts.md#admx-scripts-run-user-ps-scripts-first" id="admx-scripts-run-user-ps-scripts-first">ADMX_Scripts/Run_User_PS_Scripts_First</a>
</dd>
</dl>
### ADMX_sdiageng policies
<dl>
<dd>
<a href="./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected" id="admx-sdiageng-betterwhenconnected">ADMX_sdiageng/BetterWhenConnected</a>
</dd>
<dd>
<a href="./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy" id="admx-sdiageng-scripteddiagnosticsexecutionpolicy">ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy</a>
</dd>
<dd>
<a href="./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy" id="admx-sdiageng-scripteddiagnosticssecuritypolicy">ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy</a>
</dd>
</dl>
### ADMX_Securitycenter policies
<dl>
<dd>
<a href="./policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain" id="admx-securitycenter-securitycenter-securitycenterindomain">ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain</a>
</dd>
</dl>
### ADMX_Servicing policies
<dl>
<dd>
<a href="./policy-csp-admx-servicing.md#admx-servicing-servicing" id="admx-servicing-servicing">ADMX_Servicing/Servicing</a>
</dd>
</dl>
### ADMX_SharedFolders policies
<dl>
<dd>
<a href="./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots" id="admx-sharedfolders-publishdfsroots">ADMX_SharedFolders/PublishDfsRoots</a>
</dd>
<dd>
<a href="./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders" id="admx-sharedfolders-publishsharedfolders">ADMX_SharedFolders/PublishSharedFolders</a>
</dd>
</dl>
### ADMX_Sharing policies
<dl>
<dd>
<a href="./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing" id="admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
</dd>
</dl>
### ADMX_ShellCommandPromptRegEditTools policies
<dl>
<dd>
<a href="./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd" id="admx-shellcommandpromptregedittools-disablecmd">ADMX_ShellCommandPromptRegEditTools/DisableCMD</a>
</dd>
<dd>
<a href="./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit" id="admx-shellcommandpromptregedittools-disableregedit">ADMX_ShellCommandPromptRegEditTools/DisableRegedit</a>
</dd>
<dd>
<a href="./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps" id="admx-shellcommandpromptregedittools-disallowapps">ADMX_ShellCommandPromptRegEditTools/DisallowApps</a>
</dd>
<dd>
<a href="./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd" id="admx-shellcommandpromptregedittools-restrictapps">ADMX_ShellCommandPromptRegEditTools/RestrictApps</a>
</dd>
</dl>
### ApplicationDefaults policies
<dl>

2
windows/client-management/mdm/policy-csp-admx-auditsettings.md
View File

@ -87,7 +87,7 @@ Default is Not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>

116
windows/client-management/mdm/policy-csp-admx-msapolicy.md Normal file
View File

@ -0,0 +1,116 @@
---
title: Policy CSP - ADMX_MSAPolicy
description: Policy CSP - ADMX_MSAPolicy
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/14/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_MSAPolicy
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_MSAPolicy policies
<dl>
<dd>
<a href="#admx-msapolicy-microsoftaccount-disableuserauth">ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-msapolicy-microsoftaccount-disableuserauth"></a>**ADMX_MSAPolicy/MicrosoftAccount_DisableUserAuth**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
By default, this setting is Disabled. This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Block all consumer Microsoft account user authentication*
- GP name: *DisableUserAuth*
- GP path: *Windows Components\Microsoft account*
- GP ADMX file name: *MSAPolicy.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

626
windows/client-management/mdm/policy-csp-admx-nca.md Normal file
View File

@ -0,0 +1,626 @@
---
title: Policy CSP - ADMX_nca
description: Policy CSP - ADMX_nca
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/14/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_nca
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_nca policies
<dl>
<dd>
<a href="#admx-nca-corporateresources">ADMX_nca/CorporateResources</a>
</dd>
<dd>
<a href="#admx-nca-customcommands">ADMX_nca/CustomCommands</a>
</dd>
<dd>
<a href="#admx-nca-dtes">ADMX_nca/DTEs</a>
</dd>
<dd>
<a href="#admx-nca-friendlyname">ADMX_nca/FriendlyName</a>
</dd>
<dd>
<a href="#admx-nca-localnameson">ADMX_nca/LocalNamesOn</a>
</dd>
<dd>
<a href="#admx-nca-passivemode">ADMX_nca/PassiveMode</a>
</dd>
<dd>
<a href="#admx-nca-showui">ADMX_nca/ShowUI</a>
</dd>
<dd>
<a href="#admx-nca-supportemail">ADMX_nca/SupportEmail</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-nca-corporateresources"></a>**ADMX_nca/CorporateResources**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource.
Each string can be one of the following types:
- A DNS name or IPv6 address that NCA pings. The syntax is “PING:” followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1.
> [!NOTE]
> We recommend that you use FQDNs instead of IPv6 addresses wherever possible.
> [!IMPORTANT]
> At least one of the entries must be a PING: resource.
> - A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:836b:1::1/.
> - A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
You must configure this setting to have complete NCA functionality.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Corporate Resources*
- GP name: *Probe*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-nca-customcommands"></a>**ADMX_nca/CustomCommands**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Custom Commands*
- GP name: *CustomCommand*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-nca-dtes"></a>**ADMX_nca/DTEs**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints.
By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel.
Each entry consists of the text PING: followed by the IPv6 address of an IPsec tunnel endpoint. Example: PING:2002:836b:1::836b:1.
You must configure this setting to have complete NCA functionality.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IPsec Tunnel Endpoints*
- GP name: *DTE*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-nca-friendlyname"></a>**ADMX_nca/FriendlyName**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.
If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Friendly Name*
- GP name: *FriendlyName*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-nca-localnameson"></a>**ADMX_nca/LocalNamesOn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet.
To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks Connect.
> [!NOTE]
> If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT.
If this setting is not configured, users do not have Connect or Disconnect options.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prefer Local Names Allowed*
- GP name: *NamePreferenceAllowed*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-nca-passivemode"></a>**ADMX_nca/PassiveMode**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether NCA service runs in Passive Mode or not.
Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *DirectAccess Passive Mode*
- GP name: *PassiveMode*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-nca-showui"></a>**ADMX_nca/ShowUI**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access.
If this setting is not configured, the entry for DirectAccess connectivity appears.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *User Interface*
- GP name: *ShowUI*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-nca-supportemail"></a>**ADMX_nca/SupportEmail**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator.
When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Support Email Address*
- GP name: *SupportEmail*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

521
windows/client-management/mdm/policy-csp-admx-ncsi.md Normal file
View File

@ -0,0 +1,521 @@
---
title: Policy CSP - ADMX_NCSI
description: Policy CSP - ADMX_NCSI
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/14/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_NCSI
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_NCSI policies
<dl>
<dd>
<a href="#admx-ncsi-ncsi-corpdnsprobecontent">ADMX_NCSI/NCSI_CorpDnsProbeContent</a>
</dd>
<dd>
<a href="#admx-ncsi-ncsi-corpdnsprobehost">ADMX_NCSI/NCSI_CorpDnsProbeHost</a>
</dd>
<dd>
<a href="#admx-ncsi-ncsi-corpsiteprefixes">ADMX_NCSI/NCSI_CorpSitePrefixes</a>
</dd>
<dd>
<a href="#admx-ncsi-ncsi-corpwebprobeurl">ADMX_NCSI/NCSI_CorpWebProbeUrl</a>
</dd>
<dd>
<a href="#admx-ncsi-ncsi-domainlocationdeterminationurl">ADMX_NCSI/NCSI_DomainLocationDeterminationUrl</a>
</dd>
<dd>
<a href="#admx-ncsi-ncsi-globaldns">ADMX_NCSI/NCSI_GlobalDns</a>
</dd>
<dd>
<a href="#admx-ncsi-ncsi-passivepolling">ADMX_NCSI/NCSI_PassivePolling</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-ncsi-ncsi-corpdnsprobecontent"></a>**ADMX_NCSI/NCSI_CorpDnsProbeContent**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify corporate DNS probe host address*
- GP name: *DnsProbeContent*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-ncsi-ncsi-corpdnsprobehost"></a>**ADMX_NCSI/NCSI_CorpDnsProbeHost**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify corporate DNS probe host name*
- GP name: *DnsProbeHost*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-ncsi-ncsi-corpsiteprefixes"></a>**ADMX_NCSI/NCSI_CorpSitePrefixes**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify corporate site prefix list*
- GP name: *SitePrefixes*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-ncsi-ncsi-corpwebprobeurl"></a>**ADMX_NCSI/NCSI_CorpWebProbeUrl**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify corporate Website probe URL*
- GP name: *WebProbeUrl*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-ncsi-ncsi-domainlocationdeterminationurl"></a>**ADMX_NCSI/NCSI_DomainLocationDeterminationUrl**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify domain location determination URL*
- GP name: *DomainLocationDeterminationUrl*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-ncsi-ncsi-globaldns"></a>**ADMX_NCSI/NCSI_GlobalDns**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify global DNS*
- GP name: *UseGlobalDns*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-ncsi-ncsi-passivepolling"></a>**ADMX_NCSI/NCSI_PassivePolling**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify passive polling*
- GP name: *DisablePassivePolling*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

2768
windows/client-management/mdm/policy-csp-admx-netlogon.md Normal file
View File

File diff suppressed because it is too large Load Diff

3704
windows/client-management/mdm/policy-csp-admx-offlinefiles.md Normal file
View File

File diff suppressed because it is too large Load Diff

805
windows/client-management/mdm/policy-csp-admx-peertopeercaching.md Normal file
View File

@ -0,0 +1,805 @@
---
title: Policy CSP - ADMX_PeerToPeerCaching
description: Policy CSP - ADMX_PeerToPeerCaching
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/16/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_PeerToPeerCaching
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_PeerToPeerCaching policies
<dl>
<dd>
<a href="#admx-peertopeercaching-enablewindowsbranchcache">ADMX_PeerToPeerCaching/EnableWindowsBranchCache</a>
</dd>
<dd>
<a href="#admx-peertopeercaching-enablewindowsbranchcache-distributed">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed</a>
</dd>
<dd>
<a href="#admx-peertopeercaching-enablewindowsbranchcache-hosted">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted</a>
</dd>
<dd>
<a href="#admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery</a>
</dd>
<dd>
<a href="#admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers</a>
</dd>
<dd>
<a href="#admx-peertopeercaching-enablewindowsbranchcache-smb">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB</a>
</dd>
<dd>
<a href="#admx-peertopeercaching-setcachepercent">ADMX_PeerToPeerCaching/SetCachePercent</a>
</dd>
<dd>
<a href="#admx-peertopeercaching-setdatacacheentrymaxage">ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge</a>
</dd>
<dd>
<a href="#admx-peertopeercaching-setdowngrading">ADMX_PeerToPeerCaching/SetDowngrading</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-enablewindowsbranchcache"></a>**ADMX_PeerToPeerCaching/EnableWindowsBranchCache**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings:
- Set BranchCache Distributed Cache mode
- Set BranchCache Hosted Cache mode
- Configure Hosted Cache Servers
Policy configuration
Select one of the following:
- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache.
- Enabled. With this selection, BranchCache is turned on for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache is turned on for all domain member client computers to which the policy is applied.
- Disabled. With this selection, BranchCache is turned off for all client computers where the policy is applied.
> [!NOTE]
> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on BranchCache*
- GP name: *Enable*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-enablewindowsbranchcache-distributed"></a>**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office.
Policy configuration
Select one of the following:
- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache.
- Enabled. With this selection, BranchCache distributed cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache distributed cache mode is turned on for all domain member client computers to which the policy is applied.
- Disabled. With this selection, BranchCache distributed cache mode is turned off for all client computers where the policy is applied.
> [!NOTE]
> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set BranchCache Distributed Cache mode*
- GP name: *Enable*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-enablewindowsbranchcache-hosted"></a>**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office.
Policy configuration
Select one of the following:
- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache.
- Enabled. With this selection, BranchCache hosted cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache hosted cache mode is turned on for all domain member client computers to which the policy is applied.
- Disabled. With this selection, BranchCache hosted cache mode is turned off for all client computers where the policy is applied.
In circumstances where this setting is enabled, you can also select and configure the following option:
- Type the name of the hosted cache server. Specifies the computer name of the hosted cache server. Because the hosted cache server name is also specified in the certificate enrolled to the hosted cache server, the name that you enter here must match the name of the hosted cache server that is specified in the server certificate.
Hosted cache clients must trust the server certificate that is issued to the hosted cache server. Ensure that the issuing CA certificate is installed in the Trusted Root Certification Authorities certificate store on all hosted cache client computers.
> [!NOTE]
> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set BranchCache Hosted Cache mode*
- GP name: *Location*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery"></a>**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy.
When this policy setting is applied, the client computer performs or does not perform automatic hosted cache server discovery under the following circumstances:
If no other BranchCache mode-based policy settings are applied, the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers is found, the client computer self-configures for hosted cache mode.
If the policy setting "Set BranchCache Distributed Cache Mode" is applied in addition to this policy, the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers are found, the client computer self-configures for hosted cache mode only.
If the policy setting "Set BranchCache Hosted Cache Mode" is applied, the client computer does not perform automatic hosted cache discovery. This is also true in cases where the policy setting "Configure Hosted Cache Servers" is applied.
This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista.
If you disable, or do not configure this setting, a client will not attempt to discover hosted cache servers by service connection point.
Policy configuration
Select one of the following:
- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting, and client computers do not perform hosted cache server discovery.
- Enabled. With this selection, the policy setting is applied to client computers, which perform automatic hosted cache server discovery and which are configured as hosted cache mode clients.
- Disabled. With this selection, this policy is not applied to client computers.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable Automatic Hosted Cache Discovery by Service Connection Point*
- GP name: *SCPDiscoveryEnabled*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers"></a>**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office.
If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting.
This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and do not use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cache Mode."
If you do not configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly.
Policy configuration
Select one of the following:
- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting.
- Enabled. With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers."
- Disabled. With this selection, this policy is not applied to client computers.
In circumstances where this setting is enabled, you can also select and configure the following option:
- Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Hosted Cache Servers*
- GP name: *MultipleServers*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-enablewindowsbranchcache-smb"></a>**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers.
Policy configuration
Select one of the following:
- Not Configured. With this selection, BranchCache latency settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache latency setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache latency settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the latency setting that you use on individual client computers.
- Enabled. With this selection, the BranchCache maximum round trip latency setting is enabled for all client computers where the policy is applied. For example, if Configure BranchCache for network files is enabled in domain Group Policy, the BranchCache latency setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied.
- Disabled. With this selection, BranchCache client computers use the default latency setting of 80 milliseconds.
In circumstances where this policy setting is enabled, you can also select and configure the following option:
- Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure BranchCache for network files*
- GP name: *PeerCachingLatencyThreshold*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-setcachepercent"></a>**ADMX_PeerToPeerCaching/SetCachePercent**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers.
If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache.
If you disable or do not configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer.
Policy configuration
Select one of the following:
- Not Configured. With this selection, BranchCache client computer cache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache client computer cache setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the client computer cache setting that you use on individual client computers.
- Enabled. With this selection, the BranchCache client computer cache setting is enabled for all client computers where the policy is applied. For example, if Set percentage of disk space used for client computer cache is enabled in domain Group Policy, the BranchCache client computer cache setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied.
- Disabled. With this selection, BranchCache client computers use the default client computer cache setting of five percent of the total disk space on the client computer.
In circumstances where this setting is enabled, you can also select and configure the following option:
- Specify the percentage of total disk space allocated for the cache. Specifies an integer that is the percentage of total client computer disk space to use for the BranchCache client computer cache.
> [!NOTE]
> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set percentage of disk space used for client computer cache*
- GP name: *SizePercent*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-setdatacacheentrymaxage"></a>**ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers.
If you enable this policy setting, you can configure the age for segments in the data cache.
If you disable or do not configure this policy setting, the age is set to 28 days.
Policy configuration
Select one of the following:
- Not Configured. With this selection, BranchCache client computer cache age settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache client computer cache age setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the client computer cache age setting that you use on individual client computers.
- Enabled. With this selection, the BranchCache client computer cache age setting is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in the policy is turned on for all domain member client computers to which the policy is applied.
- Disabled. With this selection, BranchCache client computers use the default client computer cache age setting of 28 days on the client computer.
In circumstances where this setting is enabled, you can also select and configure the following option:
- Specify the age in days for which segments in the data cache are valid.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set age for segments in the data cache*
- GP name: *SegmentTTL*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-peertopeercaching-setdowngrading"></a>**ADMX_PeerToPeerCaching/SetDowngrading**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats.
If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions."
If you do not configure this setting, all clients will use the version of BranchCache that matches their operating system.
Policy configuration
Select one of the following:
- Not Configured. With this selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system.
- Enabled. With this selection, this policy setting is applied to client computers based on the value of the option setting "Select from the following versions" that you specify.
- Disabled. With this selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system.
In circumstances where this setting is enabled, you can also select and configure the following option:
Select from the following versions
- Windows Vista with BITS 4.0 installed, Windows 7, or Windows Server 2008 R2. If you select this version, later versions of Windows run the version of BranchCache that is included in these operating systems rather than later versions of BranchCache.
- Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Client BranchCache Version Support*
- GP name: *PreferredContentInformationVersion*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

362
windows/client-management/mdm/policy-csp-admx-performancediagnostics.md Normal file
View File

@ -0,0 +1,362 @@
---
title: Policy CSP - ADMX_PerformanceDiagnostics
description: Policy CSP - ADMX_PerformanceDiagnostics
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/16/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_PerformanceDiagnostics
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_PerformanceDiagnostics policies
<dl>
<dd>
<a href="#admx-performancediagnostics-wdiscenarioexecutionpolicy-1">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1</a>
</dd>
<dd>
<a href="#admx-performancediagnostics-wdiscenarioexecutionpolicy-2">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2</a>
</dd>
<dd>
<a href="#admx-performancediagnostics-wdiscenarioexecutionpolicy-3">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3</a>
</dd>
<dd>
<a href="#admx-performancediagnostics-wdiscenarioexecutionpolicy-4">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-1"></a>**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting determines the execution level for Windows Boot Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available.
If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled by the DPS.
If you do not configure this policy setting, the DPS will enable Windows Boot Performance for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
No system restart or service restart is required for this policy to take effect: changes take effect immediately.
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Scenario Execution Level*
- GP name: *ScenarioExecutionEnabled*
- GP path: *System\Troubleshooting and Diagnostics\Windows Boot Performance Diagnostics*
- GP ADMX file name: *PerformanceDiagnostics.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-2"></a>**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. Determines the execution level for Windows Standby/Resume Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS.
If you do not configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
No system restart or service restart is required for this policy to take effect: changes take effect immediately.
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Scenario Execution Level*
- GP name: *ScenarioExecutionEnabled*
- GP path: *System\Troubleshooting and Diagnostics\Windows System Responsiveness Performance Diagnostics*
- GP ADMX file name: *PerformanceDiagnostics.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-3"></a>**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available.
If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Shutdown Performance problems that are handled by the DPS.
If you do not configure this policy setting, the DPS will enable Windows Shutdown Performance for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
No system restart or service restart is required for this policy to take effect: changes take effect immediately.
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Scenario Execution Level*
- GP name: *ScenarioExecutionEnabled*
- GP path: *System\Troubleshooting and Diagnostics\Windows Shutdown Performance Diagnostics*
- GP ADMX file name: *PerformanceDiagnostics.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-4"></a>**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. Determines the execution level for Windows Standby/Resume Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS.
If you do not configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
No system restart or service restart is required for this policy to take effect: changes take effect immediately.
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Scenario Execution Level*
- GP name: *ScenarioExecutionEnabled*
- GP path: *System\Troubleshooting and Diagnostics\Windows Standby/Resume Performance Diagnostics*
- GP ADMX file name: *PerformanceDiagnostics.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

361
windows/client-management/mdm/policy-csp-admx-reliability.md Normal file
View File

@ -0,0 +1,361 @@
---
title: Policy CSP - ADMX_Reliability
description: Policy CSP - ADMX_Reliability
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 08/13/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_Reliability
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_Reliability policies
<dl>
<dd>
<a href="#admx-reliability-ee-enablepersistenttimestamp">ADMX_Reliability/EE_EnablePersistentTimeStamp</a>
</dd>
<dd>
<a href="#admx-reliability-pch-reportshutdownevents">ADMX_Reliability/PCH_ReportShutdownEvents</a>
</dd>
<dd>
<a href="#admx-reliability-shutdowneventtrackerstatefile">ADMX_Reliability/ShutdownEventTrackerStateFile</a>
</dd>
<dd>
<a href="#admx-reliability-shutdownreason">ADMX_Reliability/ShutdownReason</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-reliability-ee-enablepersistenttimestamp"></a>**ADMX_Reliability/EE_EnablePersistentTimeStamp**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.
If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds.
If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded.
If you do not configure this policy setting, the Persistent System Timestamp is refreshed according the default, which is every 60 seconds beginning with Windows Server 2003.
> [!NOTE]
> This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable Persistent Time Stamp*
- GP name: *TimeStampEnabled*
- GP path: *System*
- GP ADMX file name: *Reliability.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<hr/>
<!--Policy-->
<a href="" id="admx-reliability-pch-reportshutdownevents"></a>**ADMX_Reliability/PCH_ReportShutdownEvents**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.
If you enable this policy setting, error reporting includes unplanned shutdown events.
If you disable this policy setting, unplanned shutdown events are not included in error reporting.
If you do not configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default.
Also see the "Configure Error Reporting" policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Report unplanned shutdown events*
- GP name: *IncludeShutdownErrs*
- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
- GP ADMX file name: *Reliability.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<hr/>
<!--Policy-->
<a href="" id="admx-reliability-shutdowneventtrackerstatefile"></a>**ADMX_Reliability/ShutdownEventTrackerStateFile**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.
The system state data file contains information about the basic system state as well as the state of all running processes.
If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned.
If you disable this policy setting, the System State Data feature is never activated.
If you do not configure this policy setting, the default behavior for the System State Data feature occurs.
> [!NOTE]
> By default, the System State Data feature is always enabled on Windows Server 2003.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Activate Shutdown Event Tracker System State Data feature*
- GP name: *SnapShot*
- GP path: *System*
- GP ADMX file name: *Reliability.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<hr/>
<!--Policy-->
<a href="" id="admx-reliability-shutdownreason"></a>**ADMX_Reliability/ShutdownReason**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer.
If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down.
If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions.)
If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.)
If you disable this policy setting, the Shutdown Event Tracker is not displayed when you shut down the computer.
If you do not configure this policy setting, the default behavior for the Shutdown Event Tracker occurs.
> [!NOTE]
> By default, the Shutdown Event Tracker is only displayed on computers running Windows Server.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display Shutdown Event Tracker*
- GP name: *ShutdownReasonOn*
- GP path: *System*
- GP ADMX file name: *Reliability.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

985
windows/client-management/mdm/policy-csp-admx-scripts.md Normal file
View File

@ -0,0 +1,985 @@
---
title: Policy CSP - ADMX_Scripts
description: Policy CSP - ADMX_Scripts
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/17/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_Scripts
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_Scripts policies
<dl>
<dd>
<a href="#admx-scripts-allow-logon-script-netbiosdisabled">ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled</a>
</dd>
<dd>
<a href="#admx-scripts-maxgposcriptwaitpolicy">ADMX_Scripts/MaxGPOScriptWaitPolicy</a>
</dd>
<dd>
<a href="#admx-scripts-run-computer-ps-scripts-first">ADMX_Scripts/Run_Computer_PS_Scripts_First</a>
</dd>
<dd>
<a href="#admx-scripts-run-legacy-logon-script-hidden">ADMX_Scripts/Run_Legacy_Logon_Script_Hidden</a>
</dd>
<dd>
<a href="#admx-scripts-run-logoff-script-visible">ADMX_Scripts/Run_Logoff_Script_Visible</a>
</dd>
<dd>
<a href="#admx-scripts-run-logon-script-sync-1">ADMX_Scripts/Run_Logon_Script_Sync_1</a>
</dd>
<dd>
<a href="#admx-scripts-run-logon-script-sync-2">ADMX_Scripts/Run_Logon_Script_Sync_2</a>
</dd>
<dd>
<a href="#admx-scripts-run-logon-script-visible">ADMX_Scripts/Run_Logon_Script_Visible</a>
</dd>
<dd>
<a href="#admx-scripts-run-shutdown-script-visible">ADMX_Scripts/Run_Shutdown_Script_Visible</a>
</dd>
<dd>
<a href="#admx-scripts-run-startup-script-sync">ADMX_Scripts/Run_Startup_Script_Sync</a>
</dd>
<dd>
<a href="#admx-scripts-run-startup-script-visible">ADMX_Scripts/Run_Startup_Script_Visible</a>
</dd>
<dd>
<a href="#admx-scripts-run-user-ps-scripts-first">ADMX_Scripts/Run_User_PS_Scripts_First</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-allow-logon-script-netbiosdisabled"></a>**ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured.
If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow logon scripts when NetBIOS or WINS is disabled*
- GP name: *Allow-LogonScript-NetbiosDisabled*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-maxgposcriptwaitpolicy"></a>**ADMX_Scripts/MaxGPOScriptWaitPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the system waits for scripts applied by Group Policy to run.
This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.
If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0.
This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" setting to direct the system to wait for the logon scripts to complete before loading the desktop.
An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely.
If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum wait time for Group Policy scripts*
- GP name: *MaxGPOScriptWait*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-computer-ps-scripts-first"></a>**ADMX_Scripts/Run_Computer_PS_Scripts_First**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown.
For example, assume the following scenario:
There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A.
GPO B and GPO C include the following computer startup scripts:
GPO B: B.cmd, B.ps1
GPO C: C.cmd, C.ps1
Assume also that there are two computers, DesktopIT and DesktopSales.
For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT:
Within GPO B: B.ps1, B.cmd
Within GPO C: C.ps1, C.cmd
For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales:
Within GPO B: B.cmd, B.ps1
Within GPO C: C.cmd, C.ps1
> [!NOTE]
> This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup
> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run Windows PowerShell scripts first at computer startup, shutdown*
- GP name: *RunComputerPSScriptsFirst*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-legacy-logon-script-hidden"></a>**ADMX_Scripts/Run_Legacy_Logon_Script_Hidden**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier.
Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000.
If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier.
If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.
Also, see the "Run Logon Scripts Visible" setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run legacy logon scripts hidden*
- GP name: *HideLegacyLogonScripts*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-logoff-script-visible"></a>**ADMX_Scripts/Run_Logoff_Script_Visible**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logoff scripts as they run.
Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script.
If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
If you disable or do not configure this policy setting, the instructions are suppressed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display instructions in logoff scripts as they run*
- GP name: *HideLogoffScripts*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-logon-script-sync-1"></a>**ADMX_Scripts/Run_Logon_Script_Sync_1**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run logon scripts synchronously*
- GP name: *RunLogonScriptSync*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-logon-script-sync-2"></a>**ADMX_Scripts/Run_Logon_Script_Sync_2**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run logon scripts synchronously*
- GP name: *RunLogonScriptSync*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-logon-script-visible"></a>**ADMX_Scripts/Run_Logon_Script_Visible**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logon scripts as they run.
Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts.
If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
If you disable or do not configure this policy setting, the instructions are suppressed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display instructions in logon scripts as they run*
- GP name: *HideLogonScripts*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-shutdown-script-visible"></a>**ADMX_Scripts/Run_Shutdown_Script_Visible**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in shutdown scripts as they run.
Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.
If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window.
If you disable or do not configure this policy setting, the instructions are suppressed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display instructions in shutdown scripts as they run*
- GP name: *HideShutdownScripts*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-startup-script-sync"></a>**ADMX_Scripts/Run_Startup_Script_Sync**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting lets the system run startup scripts simultaneously.
Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.
If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously.
If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete.
> [!NOTE]
> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run startup scripts asynchronously*
- GP name: *RunStartupScriptSync*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-startup-script-visible"></a>**ADMX_Scripts/Run_Startup_Script_Visible**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in startup scripts as they run.
Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.
If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.
If you disable or do not configure this policy setting, the instructions are suppressed.
> [!NOTE]
> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display instructions in startup scripts as they run*
- GP name: *HideStartupScripts*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-scripts-run-user-ps-scripts-first"></a>**ADMX_Scripts/Run_User_PS_Scripts_First**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff.
For example, assume the following scenario:
There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A.
GPO B and GPO C include the following user logon scripts:
GPO B: B.cmd, B.ps1
GPO C: C.cmd, C.ps1
Assume also that there are two users, Qin Hong and Tamara Johnston.
For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin:
Within GPO B: B.ps1, B.cmd
Within GPO C: C.ps1, C.cmd
For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara:
Within GPO B: B.cmd, B.ps1
Within GPO C: C.cmd, C.ps1
> [!NOTE]
> This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon
> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run Windows PowerShell scripts first at user logon, logoff*
- GP name: *RunUserPSScriptsFirst*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

260
windows/client-management/mdm/policy-csp-admx-sdiageng.md Normal file
View File

@ -0,0 +1,260 @@
---
title: Policy CSP - ADMX_sdiageng
description: Policy CSP - ADMX_sdiageng
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/18/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_sdiageng
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_sdiageng policies
<dl>
<dd>
<a href="#admx-sdiageng-betterwhenconnected">ADMX_sdiageng/BetterWhenConnected</a>
</dd>
<dd>
<a href="#admx-sdiageng-scripteddiagnosticsexecutionpolicy">ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy</a>
</dd>
<dd>
<a href="#admx-sdiageng-scripteddiagnosticssecuritypolicy">ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-sdiageng-betterwhenconnected"></a>**ADMX_sdiageng/BetterWhenConnected**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?"
If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface.
If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows Online Troubleshooting Service.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)*
- GP name: *EnableQueryRemoteServer*
- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics*
- GP ADMX file name: *sdiageng.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-sdiageng-scripteddiagnosticsexecutionpolicy"></a>**ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.
If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.
If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel.
Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Troubleshooting: Allow users to access and run Troubleshooting Wizards*
- GP name: *EnableDiagnostics*
- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics*
- GP ADMX file name: *sdiageng.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-sdiageng-scripteddiagnosticssecuritypolicy"></a>**ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.
If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers.
If you disable or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Security Policy for Scripted Diagnostics*
- GP name: *ValidateTrust*
- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics*
- GP ADMX file name: *sdiageng.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

126
windows/client-management/mdm/policy-csp-admx-securitycenter.md Normal file
View File

@ -0,0 +1,126 @@
---
title: Policy CSP - ADMX_Securitycenter
description: Policy CSP - ADMX_Securitycenter
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/18/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_Securitycenter
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_Securitycenter policies
<dl>
<dd>
<a href="#admx-securitycenter-securitycenter-securitycenterindomain">ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-securitycenter-securitycenter-securitycenterindomain"></a>**ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed.
Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect.
If you do not configure this policy setting, the Security Center is turned off for domain members.
If you enable this policy setting, Security Center is turned on for all users.
If you disable this policy setting, Security Center is turned off for domain members.
**Windows XP SP2**
In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers.
**Windows Vista**
In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on Security Center (Domain PCs only)*
- GP name: *SecurityCenterInDomain*
- GP path: *Windows Components\Security Center*
- GP ADMX file name: *Securitycenter.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

116
windows/client-management/mdm/policy-csp-admx-servicing.md Normal file
View File

@ -0,0 +1,116 @@
---
title: Policy CSP - ADMX_Servicing
description: Policy CSP - ADMX_Servicing
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/18/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_Servicing
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_Servicing policies
<dl>
<dd>
<a href="#admx-servicing-servicing">ADMX_Servicing/Servicing</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-servicing-servicing"></a>**ADMX_Servicing/Servicing**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.
If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon.
The network location can be either a folder, or a WIM file. If it is a WIM file, the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the WIM file. For example “wim:\\server\share\install.wim:3”.
If you disable or do not configure this policy setting, or if the required files cannot be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify settings for optional component installation and component repair*
- GP name: *RepairContentServerSource*
- GP path: *System*
- GP ADMX file name: *Servicing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

192
windows/client-management/mdm/policy-csp-admx-sharedfolders.md Normal file
View File

@ -0,0 +1,192 @@
---
title: Policy CSP - ADMX_SharedFolders
description: Policy CSP - ADMX_SharedFolders
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/21/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_SharedFolders
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_SharedFolders policies
<dl>
<dd>
<a href="#admx-sharedfolders-publishdfsroots">ADMX_SharedFolders/PublishDfsRoots</a>
</dd>
<dd>
<a href="#admx-sharedfolders-publishsharedfolders">ADMX_SharedFolders/PublishSharedFolders</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-sharedfolders-publishdfsroots"></a>**ADMX_SharedFolders/PublishDfsRoots**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).
If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS .
If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled.
> [!NOTE]
> The default is to allow shared folders to be published when this setting is not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow DFS roots to be published*
- GP name: *PublishDfsRoots*
- GP path: *Shared Folders*
- GP ADMX file name: *SharedFolders.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-sharedfolders-publishsharedfolders"></a>**ADMX_SharedFolders/PublishSharedFolders**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS).
If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS.
If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled.
> [!NOTE]
> The default is to allow shared folders to be published when this setting is not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow shared folders to be published*
- GP name: *PublishSharedFolders*
- GP path: *Shared Folders*
- GP ADMX file name: *SharedFolders.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

113
windows/client-management/mdm/policy-csp-admx-sharing.md Normal file
View File

@ -0,0 +1,113 @@
---
title: Policy CSP - ADMX_Sharing
description: Policy CSP - ADMX_Sharing
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/21/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_Sharing
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_Sharing policies
<dl>
<dd>
<a href="#admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-sharing-noinplacesharing"></a>**ADMX_Sharing/NoInplaceSharing**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.
If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders.
If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in the computer.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent users from sharing files within their profile.*
- GP name: *NoInplaceSharing*
- GP path: *Windows Components\Network Sharing*
- GP ADMX file name: *Sharing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

348
windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md Normal file
View File

@ -0,0 +1,348 @@
---
title: Policy CSP - ADMX_ShellCommandPromptRegEditTools
description: Policy CSP - ADMX_ShellCommandPromptRegEditTools
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/21/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_ShellCommandPromptRegEditTools
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_ShellCommandPromptRegEditTools policies
<dl>
<dd>
<a href="#admx-shellcommandpromptregedittools-disablecmd">ADMX_ShellCommandPromptRegEditTools/DisableCMD</a>
</dd>
<dd>
<a href="#admx-shellcommandpromptregedittools-disableregedit">ADMX_ShellCommandPromptRegEditTools/DisableRegedit</a>
</dd>
<dd>
<a href="#admx-shellcommandpromptregedittools-disallowapps">ADMX_ShellCommandPromptRegEditTools/DisallowApps</a>
</dd>
<dd>
<a href="#admx-shellcommandpromptregedittools-restrictapps">ADMX_ShellCommandPromptRegEditTools/RestrictApps</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-shellcommandpromptregedittools-disablecmd"></a>**ADMX_ShellCommandPromptRegEditTools/DisableCMD**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally.
> [!NOTE]
> Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent access to the command prompt*
- GP name: *DisableCMD*
- GP path: *System*
- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-shellcommandpromptregedittools-disableregedit"></a>**ADMX_ShellCommandPromptRegEditTools/DisableRegedit**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. Disables the Windows registry editor Regedit.exe.
If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.
If you disable this policy setting or do not configure it, users can run Regedit.exe normally.
To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent access to registry editing tools*
- GP name: *DisableRegistryTools*
- GP path: *System*
- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-shellcommandpromptregedittools-disallowapps"></a>**ADMX_ShellCommandPromptRegEditTools/DisallowApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows from running the programs you specify in this policy setting.
If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications.
If you disable this policy setting or do not configure it, users can run any programs.
This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
> [!NOTE]
> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe).
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Don't run specified Windows applications*
- GP name: *DisallowRun*
- GP path: *System*
- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-shellcommandpromptregedittools-restrictapps"></a>**ADMX_ShellCommandPromptRegEditTools/RestrictApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10 Insider Preview Build 20185. Limits the Windows programs that users have permission to run on the computer.
If you enable this policy setting, users can only run programs that you add to the list of allowed applications.
If you disable this policy setting or do not configure it, users can run all applications.
This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
> [!NOTE]
> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe).
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run only specified Windows applications*
- GP name: *RestrictRun*
- GP path: *System*
- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

4
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -142,8 +142,8 @@ Here's an example:
</groupmembership>
```
where:
- `<accessgroup desc>` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. For best results, use SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- `<accessgroup desc>` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
> [!NOTE]

2
windows/client-management/mdm/policy-csp-system.md
View File

@ -737,7 +737,7 @@ The following list shows the supported values for Windows 8.1:
In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10:
- 0 (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
**Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
**Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
- 1 (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
- 2 (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
- 3 (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.

14
windows/client-management/mdm/policy-csp-update.md
View File

@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Update
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
<hr/>
@ -1927,7 +1925,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
<!--/Description-->
<!--ADMXMapped-->
@ -2920,7 +2918,7 @@ The following list shows the supported values:
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
Added in Windows 10, version 1607. Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later.
<!--/Description-->
<!--ADMXMapped-->
@ -2936,7 +2934,7 @@ ADMX Info:
The following list shows the supported values:
- 0 (default) Feature Updates are not paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
- 1 Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
<!--/SupportedValues-->
<!--/Policy-->
@ -2987,7 +2985,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
@ -3049,7 +3047,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
Added in Windows 10, version 1607. Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead.
<!--/Description-->
<!--ADMXMapped-->
@ -3116,7 +3114,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.

138
windows/client-management/mdm/policy-csps-admx-backed.md
View File

@ -121,6 +121,144 @@ ms.date: 08/18/2020
- [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb)
- [ADMX_MMC/MMC_Restrict_Author](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author)
- [ADMX_MMC/MMC_Restrict_To_Permitted_Snapins](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins)
- [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth)
- [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources)
- [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands)
- [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes)
- [ADMX_nca/FriendlyName](./policy-csp-admx-nca.md#admx-nca-friendlyname)
- [ADMX_nca/LocalNamesOn](./policy-csp-admx-nca.md#admx-nca-localnameson)
- [ADMX_nca/PassiveMode](./policy-csp-admx-nca.md#admx-nca-passivemode)
- [ADMX_nca/ShowUI](./policy-csp-admx-nca.md#admx-nca-showui)
- [ADMX_nca/SupportEmail](./policy-csp-admx-nca.md#admx-nca-supportemail)
- [ADMX_NCSI/NCSI_CorpDnsProbeContent](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobecontent)
- [ADMX_NCSI/NCSI_CorpDnsProbeHost](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobehost)
- [ADMX_NCSI/NCSI_CorpSitePrefixes](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpsiteprefixes)
- [ADMX_NCSI/NCSI_CorpWebProbeUrl](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpwebprobeurl)
- [ADMX_NCSI/NCSI_DomainLocationDeterminationUrl](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-domainlocationdeterminationurl)
- [ADMX_NCSI/NCSI_GlobalDns](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-globaldns)
- [ADMX_NCSI/NCSI_PassivePolling](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-passivepolling)
- [ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresslookuponpingbehavior)
- [ADMX_Netlogon/Netlogon_AddressTypeReturned](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresstypereturned)
- [ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowdnssuffixsearch)
- [ADMX_Netlogon/Netlogon_AllowNT4Crypto](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allownt4crypto)
- [ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowsinglelabeldnsdomain)
- [ADMX_Netlogon/Netlogon_AutoSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-autositecoverage)
- [ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidfallbacknetbiosdiscovery)
- [ADMX_Netlogon/Netlogon_AvoidPdcOnWan](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidpdconwan)
- [ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryinitialperiod)
- [ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretrymaximumperiod)
- [ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryquittime)
- [ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundsuccessfulrefreshperiod)
- [ADMX_Netlogon/Netlogon_DebugFlag](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-debugflag)
- [ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsavoidregisterrecords)
- [ADMX_Netlogon/Netlogon_DnsRefreshInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsrefreshinterval)
- [ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnssrvrecorduselowercasehostnames)
- [ADMX_Netlogon/Netlogon_DnsTtl](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsttl)
- [ADMX_Netlogon/Netlogon_ExpectedDialupDelay](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-expecteddialupdelay)
- [ADMX_Netlogon/Netlogon_ForceRediscoveryInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-forcerediscoveryinterval)
- [ADMX_Netlogon/Netlogon_GcSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-gcsitecoverage)
- [ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ignoreincomingmailslotmessages)
- [ADMX_Netlogon/Netlogon_LdapSrvPriority](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvpriority)
- [ADMX_Netlogon/Netlogon_LdapSrvWeight](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvweight)
- [ADMX_Netlogon/Netlogon_MaximumLogFileSize](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-maximumlogfilesize)
- [ADMX_Netlogon/Netlogon_NdncSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ndncsitecoverage)
- [ADMX_Netlogon/Netlogon_NegativeCachePeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-negativecacheperiod)
- [ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-netlogonsharecompatibilitymode)
- [ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-nonbackgroundsuccessfulrefreshperiod)
- [ADMX_Netlogon/Netlogon_PingUrgencyMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-pingurgencymode)
- [ADMX_Netlogon/Netlogon_ScavengeInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-scavengeinterval)
- [ADMX_Netlogon/Netlogon_SiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitecoverage)
- [ADMX_Netlogon/Netlogon_SiteName](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitename)
- [ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode)
- [ADMX_Netlogon/Netlogon_TryNextClosestSite](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite)
- [ADMX_Netlogon/Netlogon_UseDynamicDns](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns)
- [ADMX_OfflineFiles/Pol_AlwaysPinSubFolders](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders)
- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1)
- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2)
- [ADMX_OfflineFiles/Pol_BackgroundSyncSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-backgroundsyncsettings)
- [ADMX_OfflineFiles/Pol_CacheSize](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-cachesize)
- [ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-1)
- [ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-2)
- [ADMX_OfflineFiles/Pol_DefCacheSize](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-defcachesize)
- [ADMX_OfflineFiles/Pol_Enabled](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-enabled)
- [ADMX_OfflineFiles/Pol_EncryptOfflineFiles](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-encryptofflinefiles)
- [ADMX_OfflineFiles/Pol_EventLoggingLevel_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-1)
- [ADMX_OfflineFiles/Pol_EventLoggingLevel_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-2)
- [ADMX_OfflineFiles/Pol_ExclusionListSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-exclusionlistsettings)
- [ADMX_OfflineFiles/Pol_ExtExclusionList](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-extexclusionlist)
- [ADMX_OfflineFiles/Pol_GoOfflineAction_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-1)
- [ADMX_OfflineFiles/Pol_GoOfflineAction_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-2)
- [ADMX_OfflineFiles/Pol_NoCacheViewer_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-1)
- [ADMX_OfflineFiles/Pol_NoCacheViewer_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-2)
- [ADMX_OfflineFiles/Pol_NoConfigCache_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-1)
- [ADMX_OfflineFiles/Pol_NoConfigCache_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-2)
- [ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-1)
- [ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-2)
- [ADMX_OfflineFiles/Pol_NoPinFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-1)
- [ADMX_OfflineFiles/Pol_NoPinFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-2)
- [ADMX_OfflineFiles/Pol_NoReminders_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-1)
- [ADMX_OfflineFiles/Pol_NoReminders_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-2)
- [ADMX_OfflineFiles/Pol_OnlineCachingSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-onlinecachingsettings)
- [ADMX_OfflineFiles/Pol_PurgeAtLogoff](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-purgeatlogoff)
- [ADMX_OfflineFiles/Pol_QuickAdimPin](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-quickadimpin)
- [ADMX_OfflineFiles/Pol_ReminderFreq_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-1)
- [ADMX_OfflineFiles/Pol_ReminderFreq_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-2)
- [ADMX_OfflineFiles/Pol_ReminderInitTimeout_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-1)
- [ADMX_OfflineFiles/Pol_ReminderInitTimeout_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-2)
- [ADMX_OfflineFiles/Pol_ReminderTimeout_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-1)
- [ADMX_OfflineFiles/Pol_ReminderTimeout_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-2)
- [ADMX_OfflineFiles/Pol_SlowLinkSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinksettings)
- [ADMX_OfflineFiles/Pol_SlowLinkSpeed](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinkspeed)
- [ADMX_OfflineFiles/Pol_SyncAtLogoff_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-1)
- [ADMX_OfflineFiles/Pol_SyncAtLogoff_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-2)
- [ADMX_OfflineFiles/Pol_SyncAtLogon_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-1)
- [ADMX_OfflineFiles/Pol_SyncAtLogon_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-2)
- [ADMX_OfflineFiles/Pol_SyncAtSuspend_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-1)
- [ADMX_OfflineFiles/Pol_SyncAtSuspend_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-2)
- [ADMX_OfflineFiles/Pol_SyncOnCostedNetwork](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-synconcostednetwork)
- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-1)
- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-2)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-distributed)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hosted)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers)
- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-smb)
- [ADMX_PeerToPeerCaching/SetCachePercent](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setcachepercent)
- [ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdatacacheentrymaxage)
- [ADMX_PeerToPeerCaching/SetDowngrading](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdowngrading)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-1)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4)
- [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp)
- [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents)
- [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile)
- [ADMX_Reliability/ShutdownReason](./policy-csp-admx-reliability.md#admx-reliability-shutdownreason)
- [ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled](./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled)
- [ADMX_Scripts/MaxGPOScriptWaitPolicy](./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy)
- [ADMX_Scripts/Run_Computer_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first)
- [ADMX_Scripts/Run_Legacy_Logon_Script_Hidden](./policy-csp-admx-scripts.md#admx-scripts-run-legacy-logon-script-hidden)
- [ADMX_Scripts/Run_Logoff_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-logoff-script-visible)
- [ADMX_Scripts/Run_Logon_Script_Sync_1](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-1)
- [ADMX_Scripts/Run_Logon_Script_Sync_2](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-2)
- [ADMX_Scripts/Run_Logon_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-visible)
- [ADMX_Scripts/Run_Shutdown_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-shutdown-script-visible)
- [ADMX_Scripts/Run_Startup_Script_Sync](./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-sync)
- [ADMX_Scripts/Run_Startup_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-visible)
- [ADMX_Scripts/Run_User_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-user-ps-scripts-first)
- [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected)
- [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy)
- [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy)
- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
- [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
- [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots)
- [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders)
- [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing)
- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit)
- [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps)
- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)

4
windows/deployment/TOC.yml
View File

@ -45,6 +45,9 @@
href: update/plan-define-strategy.md
- name: Delivery Optimization for Windows 10 updates
href: update/waas-delivery-optimization.md
items:
- name: Using a proxy with Delivery Optimization
href: update/delivery-optimization-proxy.md
- name: Best practices for feature updates on mission-critical devices
href: update/feature-update-mission-critical.md
- name: Windows 10 deployment considerations
@ -196,6 +199,7 @@
- name: Data handling and privacy in Update Compliance
href: update/update-compliance-privacy.md
- name: Update Compliance schema reference
href: update/update-compliance-schema.md
items:
- name: WaaSUpdateStatus
href: update/update-compliance-schema-waasupdatestatus.md

79
windows/deployment/update/delivery-optimization-proxy.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Using a proxy with Delivery Optimization
manager: laurawi
description: Settings to use with various proxy configurations to allow Delivery Optimization to work
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.mktglfcycl: deploy
audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
ms.topic: article
---
# Using a proxy with Delivery Optimization
**Applies to**: Windows 10
When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.
For downloads that use Delivery Optimization to successfully use the proxy, you should set the proxy via Windows **Proxy Settings** or the Internet Explorer proxy settings.
Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required.
> [!NOTE]
> We don't recommend that you use `netsh winhttp set proxy ProxyServerName:PortNumber`. Using this offers no auto-detection of the proxy, no support for an explicit PAC URL, and no authentication to the proxy. This setting is ignored by WinHTTP for requests that use auto-discovery (if an interactive user token is used).
If a user is signed in, the system uses the Internet Explorer proxy.
If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors.
You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply.
### Summary of settings behavior
These tables summarize the behavior for various combinations of settings:
With an interactive user signed in:
|Named proxy set by using: |Delivery Optimization successfully uses proxy |
|---------|---------|
|Internet Explorer proxy, current user | Yes |
|Internet Explorer proxy, device-wide | Yes |
|netsh proxy | No |
|Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, Internet Explorer proxy is used |
|Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, Internet Explorer proxy is used |
With NetworkService (if unable to obtain a user token from a signed-in user):
|Named proxy set by using: |Delivery Optimization successfully uses proxy |
|---------|---------|
|Internet Explorer proxy, current user | No |
|Internet Explorer proxy, device-wide | Yes |
|netsh proxy | No |
|Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, netsh proxy is used |
|Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, netsh proxy is used |
## Setting a device-wide Internet Explorer proxy
You can set a device-wide proxy that will apply to all users including an interactive user, LocalSystem, and NetworkService by using the [Network Proxy CSP](https://docs.microsoft.com/windows/client-management/mdm/networkproxy-csp).
Or, if you use Group Policy, you can apply proxy settings to all users of the same device by enabling the **Computer Configuration\ Administrative Templates\ Windows Components\ Internet Explorer\ Make proxy settings per-machine (rather than per-user)** policy.
This policy is meant to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user, so if you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer. If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings.
## Using a proxy with Microsoft Connected Cache
Starting with Windows 10, version 2004, you can use Connected Cache behind a proxy. In older versions, when you set Delivery Optimization to download from Connected Cache, it will bypass the proxy and try to connect directly to the Connected Cache server. This can cause failure to download.
However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations).
## Related articles
- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](https://docs.microsoft.com/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp)
- [How to use GPP Registry to uncheck automatically detect settings? ](https://docs.microsoft.com/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings)
- [How to configure a proxy server URL and Port using GPP Registry?](https://docs.microsoft.com/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry)

5
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -30,9 +30,9 @@ version of the software.
We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*.
- **Feature updates:** Released twice per year, around March and September. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
@ -104,4 +104,3 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
### Hybrid scenarios
It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.

30
windows/deployment/update/media-dynamic-update.md
View File

@ -79,7 +79,7 @@ This table shows the correct sequence for applying the various tasks to the file
|Add latest cumulative update | | 15 | 21 |
|Clean up the image | 7 | 16 | 22 |
|Add Optional Components | | | 23 |
|Add .Net and .Net cumulative updates | | | 24 |
|Add .NET and .NET cumulative updates | | | 24 |
|Export image | 8 | 17 | 25 |
### Multiple Windows editions
@ -90,7 +90,7 @@ The main operating system file (install.wim) contains multiple editions of Windo
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@ -107,7 +107,7 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
```
```powershell
function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Write-Host "$(Get-TS): Starting media refresh"
@ -160,21 +160,21 @@ New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Keep the original media, make a copy of it for the new, updateed media.
# Keep the original media, make a copy of it for the new, updated media.
Write-Host "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its s are used for updating other s. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
It finishes by cleaning and exporting the image to reduce the image size.
> [!NOTE]
> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary s in the recovery environment. The s that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary components in the recovery environment. The components that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
```
```powershell
# Mount the main operating system, used throughout the script
Write-Host "$(Get-TS): Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
@ -255,7 +255,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
```
```powershell
#
# update Windows Preinstallation Environment (WinPE)
#
@ -345,11 +345,11 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
You can install Optional Components, along with the .NET feature, offline, but that will require the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
```
```powershell
#
# update Main OS
#
@ -398,14 +398,14 @@ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
# Note: If I wanted to enable additional Optional Components, I'd add these here.
# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
# In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
Write-Host "$(Get-TS): Adding NetFX3~~~~"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Add .Net Cumulative Update
# Add .NET Cumulative Update
Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
@ -422,7 +422,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests.
```
```powershell
#
# update remaining files on media
#
@ -435,7 +435,7 @@ cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PA
As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
```
```powershell
#
# Perform final cleanup
#

4
windows/deployment/update/update-baseline.md
View File

@ -1,5 +1,5 @@
---
title: Update baseline
title: Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, tools, group policy
ms.prod: w10
@ -11,7 +11,7 @@ manager: laurawi
ms.topic: article
---
# Update baseline
# Update Baseline
**Applies to:** Windows 10

3
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -48,6 +48,9 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
> [!NOTE]
> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
### Group Policies
All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.

6
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -19,7 +19,11 @@ ms.topic: article
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
> [!NOTE]
> The Update Compliance configuration script does not offer options to configure Delivery Optimization. You have to do that separately.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
## How the script is organized

3
windows/deployment/update/update-compliance-schema.md
View File

@ -20,6 +20,9 @@ When the visualizations provided in the default experience don't fulfill your re
The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries).
> [!NOTE]
> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
|Table |Category |Description |
|--|--|--|
|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |

8
windows/deployment/update/update-compliance-using.md
View File

@ -62,21 +62,19 @@ The following is a breakdown of the different sections available in Update Compl
## Update Compliance data latency
Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows:
Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate at which each type of data is sent from the device and how long it takes to be ready for Update Compliance varies, roughly outlined below.
The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data.
| Data Type | Data upload rate from device | Data Latency |
|--|--|--|
|WaaSUpdateStatus | Once per day |4 hours |
|WaaSInsiderStatus| Once per day |4 hours |
|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours |
|WDAVStatus|On signature update|24 hours |
|WDAVThreat|On threat detection|24 hours |
|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours |
|WUDOStatus|Once per day|12 hours |
This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh).
This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours.
## Using Log Analytics

1
windows/deployment/update/waas-delivery-optimization.md
View File

@ -74,7 +74,6 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Computers running Windows 10 | 1511 |
| Computers running Server Core installations of Windows Server | 1709 |
| IoT devices | 1803 |
| HoloLens devices | 1803 |
**Types of download packages supported by Delivery Optimization**

2
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -84,7 +84,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
![Example of UI](images/waas-wsus-fig5.png)
>[!IMPORTANT]
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).

2
windows/deployment/update/waas-overview.md
View File

@ -101,7 +101,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).

13
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -52,10 +52,8 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
**To assign a single devices locally to the Semi-Annual Channel**
1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
2. Select **Defer feature updates**.
>[!NOTE]
>Devices will automatically recieve updates from the Semi-Annual Channel, unless they are configured to recieve preview updates through the Windows Insider Program.
**To assign devices to the Semi-Annual Channel by using Group Policy**
@ -99,7 +97,7 @@ For more information, see [Windows Insider Program for Business](waas-windows-in
## Block access to Windows Insider Program
To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
To prevent devices in your organization from being enrolled in the Insider Program for early releases of Windows 10:
- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
@ -164,10 +162,11 @@ During the life of a device, it might be necessary or desirable to switch betwee
## Block user access to Windows Update settings
In Windows 10, administrators can control user access to Windows Update.
By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
Administrators can disable the "Check for updates" option for users by enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features** . Any background update scans, downloads and installations will continue to work as configured. We don't recomment this setting if you have configured the device to "notify" to download or install as this policy will prevent the user from being able to do so.
>[!NOTE]
> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
> Starting with Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported.
## Steps to manage updates for Windows 10

2
windows/deployment/update/windows-update-troubleshooting.md
View File

@ -62,7 +62,7 @@ The Settings UI is talking to the Update Orchestrator service which in turn is t
- Windows Update
## Feature updates are not being offered while other updates are
On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered.
Devices running Windows 10, version 1709 through Windows 10, version 1803 that are [configured to update from Windows Update](#BKMK_DCAT) (including Windows Update for Business scenarios) are able to install servicing and definition updates but are never offered feature updates.
Checking the WindowsUpdate.log reveals the following error:
```console

80
windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
View File

@ -20,22 +20,25 @@ ms.topic: article
# Activate using Key Management Service
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/)
- [Get Help Activating Microsoft Windows 7 or Windows 8.1 ](https://go.microsoft.com/fwlink/p/?LinkId=618644)
There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
- Host KMS on a computer running Windows 10
- Host KMS on a computer running Windows Server 2012 R2
- Host KMS on a computer running an earlier version of Windows
- Host KMS on a computer running Windows 10
- Host KMS on a computer running Windows Server 2012 R2
- Host KMS on a computer running an earlier version of Windows
Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/).
@ -43,14 +46,15 @@ Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.co
Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsofts activation services.
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
**Configure KMS in Windows 10**
### Configure KMS in Windows 10
To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
- To install the KMS key, type `slmgr.vbs /ipk <KmsKey>`.
- To activate online, type `slmgr.vbs /ato`.
- To activate by telephone , follow these steps:
- To activate by telephone, follow these steps:
1. Run `slmgr.vbs /dti` and confirm the installation ID.
2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
@ -59,18 +63,18 @@ To activate , use the slmgr.vbs command. Open an elevated command prompt and run
For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
## Key Management Service in Windows Server 2012 R2
Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
**Note**  
You cannot install a client KMS key into the KMS in Windows Server.
> [!NOTE]
> You cannot install a client KMS key into the KMS in Windows Server.
This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
**Note**  
> [!NOTE]
> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
**Configure KMS in Windows Server 2012 R2**
### Configure KMS in Windows Server 2012 R2
1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
2. Launch Server Manager.
@ -78,7 +82,7 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg)
**Figure 4**. Adding the Volume Activation Services role in Server Manager\
**Figure 4**. Adding the Volume Activation Services role in Server Manager
4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
@ -86,21 +90,21 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
**Figure 5**. Launching the Volume Activation Tools
5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg)
**Figure 6**. Configuring the computer as a KMS host
5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg)
**Figure 7**. Installing your KMS host key
6. If asked to confirm replacement of an existing key, click **Yes**.
7. After the product key is installed, you must activate it. Click **Next** (Figure 8).
7. If asked to confirm replacement of an existing key, click **Yes**.
8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
![Activating the software](../images/volumeactivationforwindows81-08.jpg)
@ -123,25 +127,27 @@ You can verify KMS volume activation from the KMS host server or from the client
To verify that KMS volume activation works, complete the following steps:
1. On the KMS host, open the event log and confirm that DNS publishing is successful.
2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.<p>
The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.<p>
1. On the KMS host, open the event log and confirm that DNS publishing is successful.
2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
## Key Management Service in earlier versions of Windows
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
2. Request a new KMS host key from the Volume Licensing Service Center.
3. Install the new KMS host key on your KMS host.
4. Activate the new KMS host key by running the slmgr.vbs script.
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
2. Request a new KMS host key from the Volume Licensing Service Center.
3. Install the new KMS host key on your KMS host.
4. Activate the new KMS host key by running the slmgr.vbs script.
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

34
windows/deployment/volume-activation/introduction-vamt.md
View File

@ -19,24 +19,26 @@ ms.topic: article
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
**Note**  
VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
> [!NOTE]
> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
## In this Topic
- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
- [Enterprise Environment](#bkmk-enterpriseenvironment)
- [VAMT User Interface](#bkmk-userinterface)
- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
- [Enterprise Environment](#bkmk-enterpriseenvironment)
- [VAMT User Interface](#bkmk-userinterface)
## <a href="" id="bkmk-managingmak"></a>Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
## <a href="" id="bkmk-managingkms"></a>Managing Key Management Service (KMS) Activation
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise Environment
@ -55,13 +57,13 @@ The following screenshot shows the VAMT graphical user interface.
![VAMT user interface](images/vamtuserinterfaceupdated.jpg)
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
## Related topics
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)

1
windows/docfx.json
View File

@ -17,6 +17,7 @@
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.windows"

2
windows/hub/TOC.md
View File

@ -1,4 +1,4 @@
# [Windows 10](index.md)
# [Windows 10](index.yml)
## [What's new](/windows/whats-new)
## [Release information](/windows/release-information)
## [Deployment](/windows/deployment)

68
windows/hub/index.md
View File

@ -1,68 +0,0 @@
---
title: Windows 10
description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
ms.prod: w10
ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.reviewer: dansimp
manager: dansimp
---
# Windows 10
Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10.
&nbsp;
## Check out [what's new in Windows 10, version 2004](/windows/whats-new/whats-new-windows-10-version-2004).
<br>
<table border="0" width="100%" align="center">
<tr style="text-align:center;">
<td align="center" style="width:25%; border:0;">
<a href="/windows/whats-new/whats-new-windows-10-version-2004">
<img src="images/whatsnew.png" alt="Read what's new in Windows 10" title="Whats new" />
<br/>What's New? </a><br>
</td>
<td align="center">
<a href="/windows/configuration/index">
<img src="images/configuration.png" alt="Configure Windows 10 in your enterprise" title="Configure Windows 10" />
<br/>Configuration </a><br>
</td>
<td align="center">
<a href="/windows/deployment/index">
<img src="images/deployment.png" alt="Windows 10 deployment" title="Windows 10 deployment" />
<br/>Deployment </a><br>
</tr>
<tr style="text-align:center;">
<td align="center"><br>
<a href="/windows/application-management/index">
<img src="images/applicationmanagement.png" alt="Manage applications in your Windows 10 enterprise deployment" title="Application management" />
<br/>App Management </a>
</td>
<td align="center"><br>
<a href="/windows/client-management/index">
<img src="images/clientmanagement.png" alt="Windows 10 client management" title="Client management" />
<br/>Client Management </a>
</td>
<td align="center"><br>
<a href="/windows/security/index">
<img src="images/threatprotection.png" alt="Windows 10 security" title="W10 security" />
<br/>Security </a>
</tr>
</table>
>[!TIP]
> Looking for information about older versions of Windows? Check out our other [Windows libraries](/previous-versions/windows/) on docs.microsoft.com. You can also search this site to find specific information, like this [Windows 8.1 content](https://docs.microsoft.com/search/index?search=Windows+8.1&dataSource=previousVersions).
## Get to know Windows as a Service (WaaS)
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
- [Read more about Windows as a Service](/windows/deployment/update/waas-overview)

115
windows/hub/index.yml Normal file
View File

@ -0,0 +1,115 @@
### YamlMime:Landing
title: Windows 10 resources and documentation for IT Pros # < 60 chars
summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars
metadata:
title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 09/23/2020 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: What's new
linkLists:
- linkListType: overview
links:
- text: What's new in Windows 10, version 2004
url: /windows/whats-new/whats-new-windows-10-version-2004
- text: What's new in Windows 10, version 1909
url: /windows/whats-new/whats-new-windows-10-version-1909
- text: What's new in Windows 10, version 1903
url: /windows/whats-new/whats-new-windows-10-version-1903
- text: Windows 10 release information
url: https://docs.microsoft.com/windows/release-information/
# Card (optional)
- title: Configuration
linkLists:
- linkListType: how-to-guide
links:
- text: Configure Windows 10
url: /windows/configuration/index
- text: Accesasibility information for IT Pros
url: /windows/configuration/windows-10-accessibility-for-itpros
- text: Configure access to Microsoft Store
url: /windows/configuration/stop-employees-from-using-microsoft-store
- text: Set up a shared or guest PC
url: /windows/configuration/set-up-shared-or-guest-pc
# Card (optional)
- title: Deployment
linkLists:
- linkListType: deploy
links:
- text: Deploy and update Windows 10
url: /windows/deployment/index
- text: Windows 10 deployment scenarios
url: /windows/deployment/windows-10-deployment-scenarios
- text: Create a deployment plan
url: /windows/deployment/update/create-deployment-plan
- text: Prepare to deploy Windows 10
url: /windows/deployment/update/prepare-deploy-windows
# Card
- title: App management
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 application management
url: /windows/application-management/index
- text: Understand the different apps included in Windows 10
url: /windows/application-management/apps-in-windows-10
- text: Get started with App-V for Windows 10
url: /windows/application-management/app-v/appv-getting-started
- text: Keep removed apps from returning during an update
url: /windows/application-management/remove-provisioned-apps-during-update
# Card
- title: Client management
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 client management
url: /windows/client-management/index
- text: Administrative tools in Windows 10
url: /windows/client-management/administrative-tools-in-windows-10
- text: Create mandatory user profiles
url: /windows/client-management/mandatory-user-profile
- text: New policies for Windows 10
url: /windows/client-management/new-policies-for-windows-10
# Card (optional)
- title: Security and Privacy
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 Enterprise Security
url: /windows/security/index
- text: Windows Privacy
url: /windows/privacy/index
- text: Identity and access management
url: /windows/security/identity-protection/index
- text: Threat protection
url: /windows/security/threat-protection/index
- text: Information protection
url: /windows/security/information-protection/index
- text: Required diagnostic data
url: /windows/privacy/required-windows-diagnostic-data-events-and-fields-2004
- text: Optional diagnostic data
url: /windows/privacy/windows-diagnostic-data
- text: Changes to Windows diagnostic data collection
url: /windows/privacy/changes-to-windows-diagnostic-data-collection

77
windows/hub/windows-10.yml
View File

@ -1,77 +0,0 @@
### YamlMime:YamlDocument
documentType: LandingData
title: Windows 10
metadata:
title: Windows 10
description: Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
ms.localizationpriority: medium
author: lizap
ms.author: elizapo
manager: dougkim
ms.topic: article
ms.devlang: na
sections:
- items:
- type: markdown
text: "
Find tools, step-by-step guides, and other resources to help you deploy and support Windows 10 in your organization.
"
- title: Explore
- items:
- type: markdown
text: "
Get started with Windows 10. Evaluate free for 90 days and set up virtual labs to test a proof of concept.<br>
<table><tr><td><img src='images/explore1.png' width='192' height='192'><br>**Download a free 90-day evaluation**<br>Try the latest features. Test your apps, hardware, and deployment strategies.<br><a href='https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise'>Start evaluation</a></td><td><img src='images/explore2.png' width='192' height='192'><br>**Get started with virtual labs**<br>Try setup, deployment, and management scenarios in a virtual environment, with no additional software or setup required.<br><a href='https://www.microsoft.com/en-us/itpro/windows-10/virtual-labs'>See Windows 10 labs</a></td><td><img src='images/explore3.png' width='192' height='192'><br>**Conduct a proof of concept**<br>Download a lab environment with MDT, Configuration Manager, Windows 10, and more.<br><a href='https://go.microsoft.com/fwlink/p/?linkid=861441'>Get deployment kit</a></td></tr>
</table>
"
- title: What's new
- items:
- type: markdown
text: "
Learn about the latest releases and servicing options.<br>
<table><tr><td><img src='images/land-new.png'></td><td><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809'>What's new in Windows 10, version 1809</a><br><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803'>What's new in Windows 10, version 1803</a><br><a href='https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709'>What's new in Windows 10, version 1709</a><br><a href='https://docs.microsoft.com/windows/windows-10/release-information'>Windows 10 release information</a><br><a href='https://support.microsoft.com/help/12387/windows-10-update-history'>Windows 10 update history</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861443'>Windows 10 roadmap</a></td></tr>
</table>
"
- title: Frequently asked questions
- items:
- type: markdown
text: "
Get answers to common questions, or get help with a specific problem.<br>
<table><tr><td><a href='https://docs.microsoft.com/windows/deployment/planning/windows-10-enterprise-faq-itpro'>Windows 10 FAQ for IT Pros</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861444'>Windows 10 forums</a><br><a href='https://techcommunity.microsoft.com/t5/Windows-10/bd-p/Windows10space'>Windows 10 TechCommunity</a><br><a href='https://go.microsoft.com/fwlink/p/?linkid=861445'>Which edition is right for your organization?</a><br><a href='https://docs.microsoft.com/windows/deployment/planning/windows-10-infrastructure-requirements'>Infrastructure requirements</a><br><a href='https://www.microsoft.com/itpro/windows-10/windows-as-a-service'>What's Windows as a service?</a><br><a href='https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm'>Windows 10 Mobile deployment and management guide</a></td><td><img src='images/faq.png'></td></tr>
</table>
"
- title: Plan
- items:
- type: markdown
text: "
Prepare to deploy Windows 10 in your organization. Explore deployment methods, compatibility tools, and servicing options. <br>
<table><tr><td><img src='images/plan1.png' width='192' height='192'><br>**Application compatibility**<br>Get best practices and tools to help you address compatibility issues prior to deployment.<br><a href='https://www.readyforwindows.com/'>Find apps that are ready for Windows 10.</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness'>Identify and prioritize apps with Upgrade Readiness</a><br><a href='https://technet.microsoft.com/microsoft-edge/mt612809.aspx'>Test, validate, and implement with the Web Application Compatibility Lab Kit</a></td><td><img src='images/plan2.png' width='192' height='192'><br>**Upgrade options**<br>Learn about the options available for upgrading Windows 7, Windows 8, or Windows 8.1 PCs and devices to Windows 10.<br><a href='https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades'>Manage Windows upgrades with Upgrade Readiness</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths'>Windows 10 upgrade paths</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades'>Windows 10 edition upgrades</a></td><td><img src='images/plan3.png' width='192' height='192'><br>**Windows as a service**<br>Windows as a service provides ongoing new capabilities and updates while maintaining a high level of hardware and software compatibility.<br><a href='https://docs.microsoft.com/windows/deployment/update/windows-as-a-service'>Explore</a></td></tr>
</table>
"
- title: Deploy
- items:
- type: markdown
text: "
Download recommended tools and get step-by-step guidance for in-place upgrades, dynamic provisioning, or traditional deployments.<br>
<table><tr><td><img src='images/deploy1.png' width='192' height='192'><br>**In-place upgrade**<br>The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade.<br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager'>Upgrade to Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit'>Upgrade to Windows 10 with MDT</a></td><td><img src='images/deploy2.png' width='192' height='192'><br>**Traditional deployment**<br>Some organizations may still need to opt for an image-based deployment of Windows 10.<br><a href='https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems'>Deploy Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit'>Deploy Windows 10 with MDT</a></td></tr><tr><td><img src='images/deploy3.png' width='192' height='192'><br>**Dynamic provisioning**<br>With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image.<br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages'>Provisioning packages for Windows 10</a><br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package'>Build and apply a provisioning package</a><br><a href='https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd'>Customize Windows 10 start and the taskbar</a></td><td><img src='images/deploy4.png' width='192' height='192'><br>**Other deployment scenarios**<br>Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps.<br><a href='https://docs.microsoft.com/education/windows/'>Windows deployment for education environments</a><br><a href='https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc'>Set up a shared or guest PC with Windows 10</a><br><a href='https://docs.microsoft.com/windows/application-management/sideload-apps-in-windows-10'>Sideload apps in Windows 10</a></td></tr>
</table>
"
- title: Management and security
- items:
- type: markdown
text: "
Learn how to manage Windows 10 clients and apps, secure company data, and manage risk.<br>
<table><tr><td><img src='images/manage1.png' width='192' height='192'><br>**Manage Windows 10 updates**<br>Get best practices and tools to help you manage clients and apps.<br><a href='https://docs.microsoft.com/windows/client-management/'>Manage clients in Windows 10</a><br><a href='https://docs.microsoft.com/windows/application-management/'>Manage apps and features in Windows 10</a></td><td><img src='images/manage2.png' width='192' height='192'><br>**Security**<br>Intelligent security, powered by the cloud. Out-of-the-box protection, advanced security features, and intelligent management to respond to advanced threats.<br><a href='https://docs.microsoft.com/windows/security/index'>Windows 10 enterprise security</a><br><a href='https://docs.microsoft.com/windows/security/threat-protection'>Threat protection</a><br><a href='https://docs.microsoft.com/windows/access-protection'>Identity protection</a><br><a href='https://docs.microsoft.com/windows/security/information-protection'>Information protection</a></td></tr>
</table>
"
- title: Stay informed
- items:
- type: markdown
text: "
Stay connected with Windows 10 experts, your colleagues, business trends, and IT pro events.<br>
<table><tr><td><img src='images/insider.png' width='192' height='192'><br>**Sign up for the Windows IT Pro Insider**<br>Find out about new resources and get expert tips and tricks on deployment, management, security, and more.<br><a href='https://aka.ms/windows-it-pro-insider'>Learn more</a></td><td><img src='images/twitter.png' width='192' height='192'><br>**Follow us on Twitter**<br>Keep up with the latest desktop and device trends, Windows news, and events for IT pros.<br><a href='https://twitter.com/MSWindowsITPro'>Visit Twitter</a></td><td><img src='images/wip4biz.png' width='192' height='192'><br>**Join the Windows Insider Program for Business**<br>Get early access to new builds and provide feedback on the latest features and functionalities.<br><a href='https://insider.windows.com/ForBusiness'>Get started</a></td></tr>
</table>
"

1
windows/security/docfx.json
View File

@ -33,7 +33,6 @@
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"manager": "dansimp",
"audience": "ITPro",

2
windows/security/identity-protection/access-control/special-identities.md
View File

@ -186,7 +186,7 @@ This group includes all domain controllers in an Active Directory forest. Domain
All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
Membership is controlled by the operating system.

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -458,7 +458,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
Value format without proxy:
```console
contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com,
```
### Protected domains

4
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -59,7 +59,7 @@ To help address this security insufficiency, companies developed data loss preve
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesnt see and cant understand.
Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesnt see and cant understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
@ -90,7 +90,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.

67
windows/security/threat-protection/TOC.md
View File

@ -26,18 +26,23 @@
## [Migration guides](microsoft-defender-atp/migration-guides.md)
### [Switch from McAfee to Microsoft Defender ATP]()
#### [Get an overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
#### [Prepare for your migration](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
#### [Set up Microsoft Defender ATP](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
### [Switch from Symantec to Microsoft Defender ATP]()
#### [Get an overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
### [Manage Microsoft Defender ATP after migration]()
#### [Overview](microsoft-defender-atp/manage-atp-post-migration.md)
### [Switch from McAfee to Microsoft Defender for Endpoint]()
#### [Overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
#### [Phase 1: Prepare](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
#### [Phase 2: Setup](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
#### [Phase 3: Onboard](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
### [Switch from Symantec to Microsoft Defender for Endpoint]()
#### [Overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
#### [Phase 1: Prepare](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
#### [Phase 2: Setup](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
#### [Phase 3: Onboard](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
### [Switch from your non-Microsoft endpoint security solution to Microsoft Defender for Endpoint]()
#### [Overview of migration](microsoft-defender-atp/switch-to-microsoft-defender-migration.md)
#### [Phase 1: Prepare](microsoft-defender-atp/switch-to-microsoft-defender-prepare.md)
#### [Phase 2: Setup](microsoft-defender-atp/switch-to-microsoft-defender-setup.md)
#### [Phase 3: Onboard](microsoft-defender-atp/switch-to-microsoft-defender-onboard.md)
### [Manage Microsoft Defender for Endpoint after migration]()
#### [Overview of managing Microsoft Defender for Endpoint](microsoft-defender-atp/manage-atp-post-migration.md)
#### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
#### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
#### [Group Policy Objects](microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md)
@ -251,9 +256,17 @@
#### [Resources](microsoft-defender-atp/mac-resources.md)
### [Microsoft Defender Advanced Threat Protection for iOS]()
#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
#### [Deploy]()
##### [App-based deployment](microsoft-defender-atp/ios-install.md)
#### [Configure]()
##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
### [Microsoft Defender Advanced Threat Protection for Linux]()
#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
@ -367,12 +380,6 @@
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Device health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Custom detections]()
##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
### [Behavioral blocking and containment]()
#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md)
@ -385,10 +392,15 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
#### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
#### [Learn, train, & get examples]()
##### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
##### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
#### [Work with query results](microsoft-defender-atp/advanced-hunting-query-results.md)
#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
#### [Advanced hunting schema reference]()
#### [Optimize & handle errors]()
##### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
##### [Handle errors](microsoft-defender-atp/advanced-hunting-errors.md)
##### [Service limits](microsoft-defender-atp/advanced-hunting-limits.md)
#### [Data schema]()
##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
##### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
@ -405,7 +417,10 @@
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Custom detections]()
##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
@ -529,6 +544,7 @@
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
####### [Set device value](microsoft-defender-atp/set-device-value.md)
###### [Machine Action]()
####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
@ -643,6 +659,7 @@
#### [Managed security service provider (MSSP) integration]()
##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
##### [Supported managed security service providers](microsoft-defender-atp/mssp-list.md)
##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
@ -680,15 +697,19 @@
#### [Troubleshoot Microsoft Defender ATP service issues]()
##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
##### [Check service health](microsoft-defender-atp/service-status.md)
##### [Contact Microsoft Defender ATP support](microsoft-defender-atp/contact-support.md)
#### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md)
#### [Collect support logs using LiveAnalyzer ](microsoft-defender-atp/troubleshoot-collect-support-log.md)
#### [Troubleshoot attack surface reduction issues]()
##### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)

35
windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
View File

@ -1,7 +1,7 @@
---
title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
@ -25,7 +25,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
> [!NOTE]
> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
@ -54,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
> [!NOTE]
> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
@ -78,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation <path>
Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
```Dos
<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
@ -86,13 +86,30 @@ When the SupportLogLocation parameter is used, a folder structure as below will
| field | Description |
|:----|:----|
| path | The path as specified on the commandline or retrieved from configuration
| MMDD | Month Day when the diagnostic data was collected (eg 0530)
| hostname | the hostname of the device on which the diagnostic data was collected.
| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
| path | The path as specified on the command line or retrieved from configuration
| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
| hostname | The hostname of the device on which the diagnostic data was collected
| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
> [!NOTE]
> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.
> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
## Specify location where diagnostic data is created
You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO).
1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
1. Select **Define the directory path to copy support log files**.
![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)
![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)
3. Inside the policy editor, select **Enabled**.
4. Specify the directory path where you want to copy the support log files in the **Options** field.
![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png)
5. Select **OK** or **Apply**.
## See also

4
windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
View File

@ -59,8 +59,8 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif
Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
>[!NOTE]
>If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
> [!NOTE]
> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
## Use PowerShell to configure scanning options

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 314 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

35
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
ms.date: 09/10/2020
ms.date: 09/28/2020
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@ -42,6 +42,11 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
> [!NOTE]
> Updates are released under the below KB numbers:
> Microsoft Defender Antivirus: KB2267602
> System Center Endpoint Protection: KB2461484
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
Engine updates are included with the security intelligence updates and are released on a monthly cadence.
@ -66,6 +71,30 @@ All our updates contain:
* integration improvements (Cloud, MTP)
<br/>
<details>
<summary> September-2020 (Platform: 4.18.2009.X | Engine: 1.1.17500.4)</summary>
&ensp;Security intelligence update version: **1.325.10.0**
&ensp;Released: **October 01, 2020**
&ensp;Platform: **4.18.2009.X**
&ensp;Engine: **1.1.17500.4**
&ensp;Support phase: **Security and Critical Updates**
### What's new
*Admin permissions are required to restore files in quarantine
*XML formatted events are now supported
*CSP support for ignoring exclusion merge
*New management interfaces for:
+UDP Inspection
+Network Protection on Server 2019
+IP Address exclusions for Network Protection
*Improved visibility into TPM measurements
*Improved Office VBA module scanning
### Known Issues
No known issues
<br/>
</details>
<details>
<summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
&ensp;Security intelligence update version: **1.323.9.0**
@ -79,7 +108,7 @@ All our updates contain:
* Improved scan event telemetry
* Improved behavior monitoring for memory scans
* Improved macro streams scanning
* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
* Added "AMRunningMode" to Get-MpComputerStatus PowerShell CmdLet
### Known Issues
No known issues
@ -111,7 +140,7 @@ No known issues
&ensp;Released: **June 22, 2020**
&ensp;Platform: **4.18.2006.10**
&ensp;Engine: **1.1.17200.2**
&ensp;Support phase: **Security and Critical Updates**
&ensp;Support phase: **Technical upgrade Support (Only)**
### What's new
* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)

4
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
ms.date: 08/26/2020
ms.date: 09/28/2020
---
# Microsoft Defender Antivirus compatibility
@ -94,6 +94,8 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
> [!WARNING]
> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
> [!IMPORTANT]
> If you are using [Microsoft endpoint data loss prevention (Endpoint DLP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate.
## Related topics

3
windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
View File

@ -64,6 +64,9 @@ See [Prevent users from locally modifying policy settings](configure-local-polic
You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
> [!NOTE]
> This setting is not supported on Windows 10.
### Use Group Policy to prevent users from pausing a scan
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.

14
windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
---
@ -25,15 +25,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
## Use Microsoft Intune to review scan results
1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
2. Click the scan results in **Device actions status**.
## Use Configuration Manager to review scan results
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
@ -46,7 +40,7 @@ The following cmdlet will return each detection on the endpoint. If there are mu
Get-MpThreatDetection
```
![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png)
![screenshot of PowerShell cmdlets and outputs](images/defender/wdav-get-mpthreatdetection.png)
You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
@ -56,7 +50,7 @@ If you want to list threat detections, but combine detections of the same threat
Get-MpThreat
```
![IMAGEALT](images/defender/wdav-get-mpthreat.png)
![screenshot of PowerShell](images/defender/wdav-get-mpthreat.png)
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.

3
windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
View File

@ -32,6 +32,9 @@ You can run an on-demand scan on individual endpoints. These scans will start im
Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
> [!IMPORTANT]
> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.

13
windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 07/22/2020
ms.date: 09/30/2020
ms.reviewer:
manager: dansimp
---
@ -28,14 +28,13 @@ manager: dansimp
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
To configure the Group Policy settings described in this topic:
## To configure the Group Policy settings described in this article
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -201,7 +200,7 @@ Scan | Specify the time for a daily quick scan | Specify the number of minutes a
Use the following cmdlets:
```PowerShell
Set-MpPreference -ScanScheduleQuickTime
Set-MpPreference -ScanScheduleQuickScanTime
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
@ -229,9 +228,7 @@ Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
## Related topics
## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)

134
windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md Normal file
View File

@ -0,0 +1,134 @@
---
title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: martyav
ms.author: v-maave
ms.custom: nextgen
ms.date: 09/11/2018
ms.reviewer:
manager: dansimp
---
# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
## Review event logs
Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
From there, select **Open** underneath **Operational**.
Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs.
## Microsoft Defender Antivirus won't start
This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
### Associated event IDs
Event ID | Log name | Description | Source
-|-|-|-
15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center
5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.<br /><br />**Old value:** Default\IsServiceRunning = 0x0<br />**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
> [!TIP]
> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
#### Use Services app to check if Microsoft Defender Antivirus is turned off
To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
#### Generate a detailed report
You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
```powershell
GPresult.exe /h gpresult.html
```
This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
##### Group policy results
##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)
Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
Policy | Setting | Winning GPO
-|-|-
Turn off Windows Defender Antivirus | Enabled | Win10-Workstations
###### If security settings are implemented via Group policy preference (GPP)
Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
DisableAntiSpyware | -
-|-
Winning GPO | Win10-Workstations
Result: Success |
**General** |
Action | Update
**Properties** |
Hive | HKEY_LOCAL_MACHINE
Key path | SOFTWARE\Policies\Microsoft\Windows Defender
Value name | DisableAntiSpyware
Value type | REG_DWORD
Value data | 0x1 (1)
###### If security settings are implemented via registry key
The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:
> Registry (regedit.exe)
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
> DisableAntiSpyware (dword) 1 (hex)
###### If security settings are set in Windows or your Windows Server image
Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
### Turn Microsoft Defender Antivirus back on
Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
> [!WARNING]
> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
> [!IMPORTANT]
> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
### See also
* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)

6
windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
View File

@ -10,8 +10,8 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
ms.date: 10/01/2018
ms.reviewer: ksarens
manager: dansimp
---
@ -96,7 +96,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r
Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10)
Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)

89
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
View File

@ -22,7 +22,8 @@ Answering frequently asked questions about Microsoft Defender Application Guard
## Frequently Asked Questions
### Can I enable Application Guard on machines equipped with 4GB RAM? |
### Can I enable Application Guard on machines equipped with 4GB RAM?
We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)
@ -87,7 +88,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
@ -95,88 +96,8 @@ Yes, both the enterprise resource domains hosted in the cloud and the domains ca
### Why does my encryption driver break Microsoft Defender Application Guard?
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
### Why do the network isolation policies in Group Policy and CSP look different?
There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements.
### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
1. Program path: `%SystemRoot%\System32\svchost.exe`
2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess))
3. Protocol UDP
4. Port 67
Second rule (DHCP Client)
This is the same as the first rule, but scoped to local port 68.
In the Microsoft Defender Firewall user interface go through the following steps:
1. Right click on inbound rules, create a new rule.
2. Choose **custom rule**.
3. Program path: **%SystemRoot%\System32\svchost.exe**.
4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
5. Any IP addresses.
6. Allow the connection.
7. All profiles.
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
### Why can I not launch Application Guard when Exploit Guard is enabled?
There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
### How can I have ICS in enabled state yet still use Application Guard?
This is a two step process.
Step 1:
Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
Step 2:
1. Disable IpNat.sys from ICS load:
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
2. Configure ICS (SharedAccess) to enabled:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
3. Disable IPNAT (Optional):
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
4. Restart the device.
### Why doesn't Application Guard work, even though it's enabled through Group Policy?
Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard).
To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite.
For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
### I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this?
WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps:
1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
2. Reboot the device.
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.

4
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -43,8 +43,8 @@ Application Guard has been created to target several types of systems:
## Related articles
|Article | Description |
|--------|-------------|
|Article |Description |
|------|------------|
|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|

46
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Handle errors in advanced hunting for Microsoft Defender ATP
description: Understand errors displayed when using advanced hunting
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Handle advanced hunting errors
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors.
| Error type | Cause | Resolution | Error message examples |
|--|--|--|--|
| Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-reference.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` |
| Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](https://docs.microsoft.com/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. | `'project' operator: Failed to resolve scalar expression named 'x'`|
| Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` |
| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated limit. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU limits](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`<br>- `You have exceeded processing resources allocated to this tenant. You can run queries again in <duration>.` |
| Result size limit exceeded | The aggregate size of the result set for the query has exceeded the maximum limit. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. | [Optimize the query](advanced-hunting-best-practices.md) | `Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.` |
| Excessive resource consumption | The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. | [Optimize the query](advanced-hunting-best-practices.md) | -`Query stopped due to excessive resource consumption.`<br>-`Query stopped. Adjust use of the <operator name> operator to avoid excessive resource consumption.` |
| Unknown errors | The query failed because of an unknown reason. | Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. | `An unexpected error occurred during query execution. Please try again in a few minutes.`
## Related topics
- [Advanced hunting best practices](advanced-hunting-best-practices.md)
- [Service limits](advanced-hunting-limits.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Kusto Query Language overview](https://docs.microsoft.com/azure/data-explorer/kusto/query/)

48
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Advanced hunting limits in Microsoft Defender ATP
description: Understand various service limits that keep the advanced hunting service responsive
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Advanced hunting service limits
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
To keep the service performant and responsive, advanced hunting sets various limits for queries run manually and by [custom detection rules](custom-detection-rules.md). Refer to the following table to understand these limits.
| Limit | Size | Refresh cycle | Description |
|--|--|--|--|
| Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. |
| Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. |
| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error.
| CPU resources | Based on tenant size | - On the hour and then every 15 minutes<br>- Daily at 12 midnight | The service enforces the daily and the 15-minute limit separately. For each limit, the [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next daily or 15-minute cycle. |
>[!NOTE]
>A separate set of limits apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](run-advanced-query-api.md)
Customers who run multiple queries regularly should track consumption and [apply optimization best practices](advanced-hunting-best-practices.md) to minimize disruption resulting from exceeding these limits.
## Related topics
- [Advanced hunting best practices](advanced-hunting-best-practices.md)
- [Handle advanced hunting errors](advanced-hunting-errors.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Custom detections rules](custom-detection-rules.md)

22
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -26,9 +26,12 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured devices.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
>[!TIP]
>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
## Get started with advanced hunting
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
@ -38,22 +41,25 @@ Watch this video for a quick overview of advanced hunting and a short tutorial t
You can also go through each of the following steps to ramp up your advanced hunting knowledge.
We recommend going through several steps to quickly get up and running with advanced hunting.
| Learning goal | Description | Resource |
|--|--|--|
| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
| **Learn the language** | Advanced hunting is based on [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md) |
| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
## Data freshness and update frequency
Advanced hunting data can be categorized into two distinct types, each consolidated differently:
Advanced hunting data can be categorized into two distinct types, each consolidated differently.
- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
- **Entity data**—populates tables with consolidated information about users and devices. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
## Time zone
All time information in advanced hunting is currently in the UTC time zone.
Time information in advanced hunting is currently in the UTC time zone.
## Related topics
- [Learn the query language](advanced-hunting-query-language.md)

8
windows/security/threat-protection/microsoft-defender-atp/android-intune.md
View File

@ -33,7 +33,7 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
> [!NOTE]
> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.** <br>
> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)** <br>
> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
Updates to the app are automatic via Google Play.
@ -58,7 +58,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
- **Name**
- **Description**
- **Publisher** as Microsoft.
- **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP Preview app Google Play Store URL)
- **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP app Google Play Store URL)
Other fields are optional. Select **Next**.
@ -73,14 +73,14 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
> ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png)
6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.
![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png)
7. In the app information page that is displayed, in the **Monitor** section,
5. In the app information page that is displayed, in the **Monitor** section,
select **Device install status** to verify that the device installation has
completed successfully.

7
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -14,7 +14,8 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.reviewer: ramarom, evaldm, isco, mabraitm
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.date: 09/24/2020
---
# View details and results of automated investigations
@ -22,7 +23,7 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically.
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
@ -164,5 +165,5 @@ When you click on the pending actions link, you'll be taken to the Action center
- [View and approve remediation actions](manage-auto-investigation.md)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)

66
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -1,22 +1,23 @@
---
title: Use automated investigations to investigate and remediate threats
description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.date: 09/03/2020
ms.date: 09/30/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.reviewer: ramarom, evaldm, isco, mabraitm
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
ms.custom: AIR
---
@ -27,16 +28,16 @@ ms.custom: AIR
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively.
Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@ -51,15 +52,15 @@ During and after an automated investigation, you can view details about the inve
|Tab |Description |
|--|--|
|**Alerts**| Shows the alert that started the investigation.|
|**Devices** |Shows where the alert was seen.|
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
|**Alerts**| The alert(s) that started the investigation.|
|**Devices** |The device(s) where the threat was seen.|
|**Evidence** |The entities that were found to be malicious during an investigation.|
|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.|
|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
> [!IMPORTANT]
> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
## How an automated investigation expands its scope
@ -69,48 +70,33 @@ If an incriminated entity is seen in another device, the automated investigation
## How threats are remediated
Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
> [!NOTE]
> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
|**Full - remediate threats automatically** | All remediation actions are performed automatically.<br/><br/>***This option is recommended** and is selected by default for Microsoft Defender ATP tenants that were created on or after August 16, 2020, and that have no device groups defined. <br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br/><br/> Files or executables in all other folders are automatically remediated, if needed.|
|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders. <br/><br/> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
|**Semi - require approval for any remediation** | An approval is needed for any remediation action. <br/><br/>*This option is selected by default for Microsoft Defender ATP tenants that were created before August 16, 2020, and that have no device groups defined. <br/>If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
|**No automated response** | Devices do not get any automated investigations run on them. <br/><br/>***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.<br/><br/>***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* <br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md). <br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/> Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*` |
|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).<br/><br/>*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*<br/><br/>*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. <br/><br/>***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
> [!IMPORTANT]
> Regarding automation levels and default settings:
> - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**.
> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
### A few points to keep in mind
- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
## See also
- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)

14
windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
View File

@ -1,10 +1,11 @@
---
title: Configure automated investigation and remediation capabilities
description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.technology: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@ -14,20 +15,21 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.reviewer: ramarom, evaldm, isco, mabraitm
ms.topic: article
ms.date: 09/24/2020
ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
---
# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).

13
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -27,11 +27,14 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Before you begin
> [!NOTE]
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up.
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription.
## Register to Microsoft Threat Experts managed threat hunting service
If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.
@ -79,7 +82,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**.
![Image of Microsoft Threat Experts Experts on Demand from the menu](images/mte-eod-menu.png)
@ -87,7 +90,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
![Image of Microsoft Threat Experts Experts on Demand screen](images/mte-eod.png)
The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.
The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription.
![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png)
@ -110,7 +113,7 @@ Watch this video for a quick overview of the Microsoft Services Hub.
**Alert information**
- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
- Weve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
- Weve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
- I receive an odd alert today for abnormal number of failed logins from a high profile users device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored?
- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
@ -119,7 +122,7 @@ Watch this video for a quick overview of the Microsoft Services Hub.
- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
**Threat intelligence details**
- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
**Microsoft Threat Experts alert communications**

2
windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
View File

@ -66,6 +66,8 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
- **Fetch alerts from MSSP customer's tenant using APIs** <br>
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
## Multi-tenant access for MSSPs
For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).

90
windows/security/threat-protection/microsoft-defender-atp/contact-support.md Normal file
View File

@ -0,0 +1,90 @@
---
title: Contact Microsoft Defender ATP support
description: Learn how to contact Microsoft Defender ATP support
keywords: support, contact, premier support, solutions, problems, case
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Contact Microsoft Defender ATP support
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Microsoft Defender ATP has recently upgraded the support process to offer a more modern and advanced support experience.
The new widget allows customers to:
- Find solutions to common problems
- Submit a support case to the Microsoft support team
## Prerequisites
It's important to know the specific roles that have permission to open support cases.
At a minimum, you must have a Service Support Administrator **OR** Helpdesk Administrator role.
For more information on which roles have permission see, [Security Administrator permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case.
For general information on admin roles, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide).
## Access the widget
Accessing the new support widget can be done in one of two ways:
1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
![Image of widget when question mark is selected](images/support-widget.png)
2. Clicking on the **Need help?** button in the bottom right of the Microsoft Defender Security Center:
![Image of the need help button](images/need-help.png)
In the widget you will be offered two options:
- Find solutions to common problems
- Open a service request
## Find solutions to common problems
This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced.
![Image of need help widget](images/Support3.png)
In case the suggested articles are not sufficient, you can open a service request.
## Open a service request
Learn how to open support tickets by contacting Microsoft Defender ATP support.
### Contact support
This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case:
![Image of the open a service request widget](images/Support4.png)
1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you.
2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case.
3. Select your time zone and an alternative language, if applicable. The request will be sent to Microsoft Support Team. The team will respond to your service request shortly.
## Related topics
- [Troubleshoot service issues](troubleshoot-mdatp.md)
- [Check service health](service-status.md)

2
windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
View File

@ -36,7 +36,7 @@ Enable security information and event management (SIEM) integration so you can p
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Prerequisites
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: Security Administrator and either Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
## Enabling SIEM integration

168
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
View File

@ -29,104 +29,104 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
## Enable the Insider program with Jamf
a. Create configuration profile com.microsoft.wdav.plist with the following content:
1. Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
```
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
```
b. From the JAMF console, navigate to **Computers>Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
1. From the JAMF console, navigate to **Computers>Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
c. Create an entry withcom.microsoft.wdavas the preference domain and upload the .plist created earlier.
1. Create an entry withcom.microsoft.wdavas the preference domain and upload the .plist created earlier.
>[!WARNING]
>You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
> [!WARNING]
> You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
## Enable the Insider program with Intune
a. Create configuration profile com.microsoft.wdav.plist with the following content:
1. Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
```
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
```
b. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
1. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
c. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
d. Save the .plist created earlier as com.microsoft.wdav.xml.
1. Save the .plist created earlier as com.microsoft.wdav.xml.
e. Enter com.microsoft.wdav as the custom configuration profile name.
1. Enter com.microsoft.wdav as the custom configuration profile name.
f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
g. Select **OK**.
1. Select **OK**.
h. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
1. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
>[!WARNING]
>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
> [!WARNING]
> You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
## Enable the Insider program manually on a single device
@ -134,7 +134,7 @@ In terminal, run:
```bash
mdatp --edr --early-preview true
```
```
For versions earlier than 100.78.0, run:
@ -161,4 +161,4 @@ After a successful deployment and onboarding of the correct version, check that
* Check that you enabled the early preview flag. In terminal run “mdatp health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).

16
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
View File

@ -41,7 +41,7 @@ Not all properties are filterable.
Get 10 latest Alerts with related Evidence
```
```http
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
@ -147,9 +147,9 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
### Example 2
Get all the alerts last updated after 2019-10-20 00:00:00
Get all the alerts last updated after 2019-11-22 00:00:00
```
```http
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
```
@ -205,7 +205,7 @@ HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTi
Get all the devices with 'High' 'RiskScore'
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
```
@ -244,7 +244,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
Get top 100 devices with 'HealthStatus' not equals to 'Active'
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
```
@ -283,7 +283,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStat
Get all the devices that last seen after 2018-10-20
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
@ -322,7 +322,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
```
@ -354,7 +354,7 @@ json{
Get the count of open alerts for a specific device:
```
```http
HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'
```

2
windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
View File

@ -32,7 +32,7 @@ To become a Microsoft Defender ATP solution partner, you'll need to follow and c
Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP.
## Step 2: Fulfill the solution validation and certification requirements
The best way for technology partners to certify their integration works, is to have a joint customer approve the suggested integration design and have it tested and demoed to the Microsoft Defender ATP team.
The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender ATP team.
Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 173 KiB

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 124 KiB

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 68 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 69 KiB

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 612 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 65 KiB

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/Support3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 189 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/Support4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/analyzer-commands.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/analyzer-file.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.5 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/bdo-logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.4 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 717 KiB

Some files were not shown because too many files have changed in this diff Show More