deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 21:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-blmgep-4318240

Browse Source
This commit is contained in:
Siddarth Mandalika 2020-10-06 18:19:36 +05:30
commit 789b0d8253
111 changed files with 1444 additions and 1040 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
windows/client-management/mdm/healthattestation-csp.md
View File

@ -74,7 +74,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<strong>DHA-Enabled MDM (Device HealthAttestation enabled device management solution)</strong>
<p style="margin-left: 20px">Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.</p>
<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromized by advanced security threats or running a malicious (jailbroken) operating system.</p>
<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.</p>
<p style="margin-left: 20px">The following list of operations are performed by DHA-Enabled-MDM:</p>
<ul>
<li>Enables the DHA feature on a DHA-Enabled device</li>
@ -195,10 +195,10 @@ The following diagram shows the Device HealthAttestation configuration service p
<p style="margin-left: 20px">The following list shows some examples of supported values. For the complete list of status see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
- 0 - (HEALTHATTESTATION\_CERT\_RETRI_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRI_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
- 3 - (HEALTHATTESTATION\_CERT\_RETRI_COMPLETE): DHA-Data is ready for pick up
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
<a href="" id="forceretrieve"></a>**ForceRetrieve** (Optional)
<p style="margin-left: 20px">Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</p>
@ -220,7 +220,7 @@ The following diagram shows the Device HealthAttestation configuration service p
<a href="" id="correlationid"></a>**CorrelationId** (Required)
<p style="margin-left: 20px">Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.</p>
<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximun value is 2,147,483,647. The supported operation is Get.</p>
<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.</p>
<a href="" id="hasendpoint"></a>**HASEndpoint** (Optional)
<p style="margin-left: 20px">Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.</p>
@ -359,8 +359,8 @@ The following example shows a sample call that triggers collection and verificat
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
- If the response is HEALTHATTESTATION\_CERT_RETRI_COMPLETE (3) then proceed to the next section.
- If the response is HEALTHATTESTATION_CERT_RETRI_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRI_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
- If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
Here is a sample alert that is issued by DHA_CSP:
@ -830,7 +830,7 @@ Each of these are described in further detail in the following sections, along w
<tr>
<td style="vertical-align:top">3</td>
<td style="vertical-align:top">HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE</td>
<td style="vertical-align:top">This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.</td>
<td style="vertical-align:top">This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.</td>
</tr>
<tr>
<td style="vertical-align:top">4</td>

4
windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
View File

@ -97,7 +97,7 @@ For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Sc
<!--ADMXBacked-->
ADMX Info:
- GP English name: *SSL Cipher Suite Order*
- GP name: *Functions*
- GP name: *SSLCipherSuiteOrder*
- GP path: *Network/SSL Configuration Settings*
- GP ADMX file name: *CipherSuiteOrder.admx*
@ -180,7 +180,7 @@ CertUtil.exe -DisplayEccCurve
<!--ADMXBacked-->
ADMX Info:
- GP English name: *ECC Curve Order*
- GP name: *EccCurves*
- GP name: *SSLCurveOrder*
- GP path: *Network/SSL Configuration Settings*
- GP ADMX file name: *CipherSuiteOrder.admx*

4
windows/client-management/mdm/policy-csp-admx-com.md
View File

@ -99,7 +99,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Download missing COM components*
- GP name: *COMClassStore*
- GP name: *AppMgmt_COM_SearchForCLSID_1*
- GP path: *System*
- GP ADMX file name: *COM.admx*
@ -174,7 +174,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Download missing COM components*
- GP name: *COMClassStore*
- GP name: *AppMgmt_COM_SearchForCLSID_2*
- GP path: *System*
- GP ADMX file name: *COM.admx*

4
windows/client-management/mdm/policy-csp-admx-digitallocker.md
View File

@ -96,7 +96,7 @@ If you disable or do not configure this setting, Digital Locker can be run.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow Digital Locker to run*
- GP name: *DoNotRunDigitalLocker*
- GP name: *Digitalx_DiableApplication_TitleText_1*
- GP path: *Windows Components/Digital Locker*
- GP ADMX file name: *DigitalLocker.admx*
@ -167,7 +167,7 @@ If you disable or do not configure this setting, Digital Locker can be run.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow Digital Locker to run*
- GP name: *DoNotRunDigitalLocker*
- GP name: *Digitalx_DiableApplication_TitleText_2*
- GP path: *Windows Components/Digital Locker*
- GP ADMX file name: *DigitalLocker.admx*

12
windows/client-management/mdm/policy-csp-admx-dwm.md
View File

@ -109,7 +109,7 @@ If you disable or do not configure this policy setting, the default internal col
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify a default color*
- GP name: *DefaultColorizationColorState*
- GP name: *DwmDefaultColorizationColor_1*
- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring*
- GP ADMX file name: *DWM.admx*
@ -182,7 +182,7 @@ If you disable or do not configure this policy setting, the default internal col
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify a default color*
- GP name: *DefaultColorizationColorState*
- GP name: *DwmDefaultColorizationColor_2*
- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring*
- GP ADMX file name: *DWM.admx*
@ -253,7 +253,7 @@ Changing this policy setting requires a logoff for it to be applied.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow window animations*
- GP name: *DisallowAnimations*
- GP name: *DwmDisallowAnimations_1*
- GP path: *Windows Components/Desktop Window Manager*
- GP ADMX file name: *DWM.admx*
@ -324,7 +324,7 @@ Changing this policy setting requires a logoff for it to be applied.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow window animations*
- GP name: *DisallowAnimations*
- GP name: *DwmDisallowAnimations_2*
- GP path: *Windows Components/Desktop Window Manager*
- GP ADMX file name: *DWM.admx*
@ -396,7 +396,7 @@ If you disable or do not configure this policy setting, you allow users to chang
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow color changes*
- GP name: *DisallowColorizationColorChanges*
- GP name: *DwmDisallowColorizationColorChanges_1*
- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring*
- GP ADMX file name: *DWM.admx*
@ -468,7 +468,7 @@ If you disable or do not configure this policy setting, you allow users to chang
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow color changes*
- GP name: *DisallowColorizationColorChanges*
- GP name: *DwmDisallowColorizationColorChanges_2*
- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring*
- GP ADMX file name: *DWM.admx*

2
windows/client-management/mdm/policy-csp-admx-eventforwarding.md
View File

@ -97,7 +97,7 @@ This setting applies across all subscriptions for the forwarder (source computer
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure forwarder resource usage*
- GP name: *MaxForwardingRate*
- GP name: *ForwarderResourceUsage*
- GP path: *Windows Components/Event Forwarding*
- GP ADMX file name: *EventForwarding.admx*

2
windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
View File

@ -94,7 +94,7 @@ By default, the RPC protocol message between File Server VSS provider and File S
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.*
- GP name: *EncryptProtocol*
- GP name: *Pol_EncryptProtocol*
- GP path: *System/File Share Shadow Copy Provider*
- GP ADMX file name: *FileServerVSSProvider.admx*

12
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -106,7 +106,7 @@ Available in Windows 10 Insider Preview Build 20185. Compression can add to the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow compression on all NTFS volumes*
- GP name: *NtfsDisableCompression*
- GP name: *DisableCompression*
- GP path: *System/Filesystem/NTFS*
- GP ADMX file name: *FileSys.admx*
@ -237,7 +237,7 @@ Available in Windows 10 Insider Preview Build 20185. Encryption can add to the p
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow encryption on all NTFS volumes*
- GP name: *NtfsDisableEncryption*
- GP name: *DisableEncryption*
- GP path: *System/Filesystem/NTFS*
- GP ADMX file name: *FileSys.admx*
@ -300,7 +300,7 @@ Available in Windows 10 Insider Preview Build 20185. Encrypting the page file pr
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable NTFS pagefile encryption*
- GP name: *NtfsEncryptPagingFile*
- GP name: *EnablePagefileEncryption*
- GP path: *System/Filesystem/NTFS*
- GP ADMX file name: *FileSys.admx*
@ -428,7 +428,7 @@ If you enable short names on all volumes then short names will always be generat
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Short name creation options*
- GP name: *NtfsDisable8dot3NameCreation*
- GP name: *ShortNameCreationSettings*
- GP path: *System/Filesystem/NTFS*
- GP ADMX file name: *FileSys.admx*
@ -502,7 +502,7 @@ For more information, refer to the Windows Help section.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Selectively allow the evaluation of a symbolic link*
- GP name: *SymlinkLocalToLocalEvaluation*
- GP name: *SymlinkEvaluation*
- GP path: *System/Filesystem*
- GP ADMX file name: *FileSys.admx*
@ -565,7 +565,7 @@ Available in Windows 10 Insider Preview Build 20185. TXF deprecated features inc
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable / disable TXF deprecated features*
- GP name: *NtfsEnableTxfDeprecatedFunctionality*
- GP name: *TxfDeprecatedFunctionality*
- GP path: *System/Filesystem/NTFS*
- GP ADMX file name: *FileSys.admx*

8
windows/client-management/mdm/policy-csp-admx-folderredirection.md
View File

@ -329,7 +329,7 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use localized subfolder names when redirecting Start Menu and My Documents*
- GP name: *LocalizeXPRelativePaths*
- GP name: *LocalizeXPRelativePaths_1*
- GP path: *System/Folder Redirection*
- GP ADMX file name: *FolderRedirection.admx*
@ -401,7 +401,7 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use localized subfolder names when redirecting Start Menu and My Documents*
- GP name: *LocalizeXPRelativePaths*
- GP name: *LocalizeXPRelativePaths_2*
- GP path: *System/Folder Redirection*
- GP ADMX file name: *FolderRedirection.admx*
@ -474,7 +474,7 @@ If you disable or do not configure this policy setting and the user has redirect
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Redirect folders on primary computers only*
- GP name: *PrimaryComputerEnabledFR*
- GP name: *PrimaryComputer_FR_1*
- GP path: *System/Folder Redirection*
- GP ADMX file name: *FolderRedirection.admx*
@ -547,7 +547,7 @@ If you disable or do not configure this policy setting and the user has redirect
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Redirect folders on primary computers only*
- GP name: *PrimaryComputerEnabledFR*
- GP name: *PrimaryComputer_FR_2*
- GP path: *System/Folder Redirection*
- GP ADMX file name: *FolderRedirection.admx*

6
windows/client-management/mdm/policy-csp-admx-help.md
View File

@ -185,7 +185,7 @@ For additional options, see the "Restrict these programs from being launched fro
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict potentially unsafe HTML Help functions to specified folders*
- GP name: *HelpQualifiedRootDir*
- GP name: *HelpQualifiedRootDir_Comp*
- GP path: *System*
- GP ADMX file name: *Help.admx*
@ -259,7 +259,7 @@ If you disable or do not configure this policy setting, users can run all applic
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict these programs from being launched from Help*
- GP name: *DisableInHelp*
- GP name: *RestrictRunFromHelp*
- GP path: *System*
- GP ADMX file name: *Help.admx*
@ -332,7 +332,7 @@ If you disable or do not configure this policy setting, users can run all applic
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict these programs from being launched from Help*
- GP name: *DisableInHelp*
- GP name: *RestrictRunFromHelp_Comp*
- GP path: *System*
- GP ADMX file name: *Help.admx*

8
windows/client-management/mdm/policy-csp-admx-helpandsupport.md
View File

@ -100,7 +100,7 @@ If you disable or do not configure this policy setting, the default behavior app
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Active Help*
- GP name: *NoActiveHelp*
- GP name: *ActiveHelp*
- GP path: *Windows Components/Online Assistance*
- GP ADMX file name: *HelpAndSupport.admx*
@ -171,7 +171,7 @@ Users can use the control to provide feedback on the quality and usefulness of t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Help Ratings*
- GP name: *NoExplicitFeedback*
- GP name: *HPExplicitFeedback*
- GP path: *System/Internet Communication Management/Internet Communication settings*
- GP ADMX file name: *HelpAndSupport.admx*
@ -239,7 +239,7 @@ If you disable or do not configure this policy setting, users can turn on the He
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Help Experience Improvement Program*
- GP name: *NoImplicitFeedback*
- GP name: *HPImplicitFeedback*
- GP path: *System/Internet Communication Management/Internet Communication settings*
- GP ADMX file name: *HelpAndSupport.admx*
@ -308,7 +308,7 @@ If you disable or do not configure this policy setting, users can access online
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Windows Online*
- GP name: *NoOnlineAssist*
- GP name: *HPOnlineAssistance*
- GP path: *System/Internet Communication Management/Internet Communication settings*
- GP ADMX file name: *HelpAndSupport.admx*

8
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -133,7 +133,7 @@ Impact on domain controller performance when this policy setting is enabled:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *KDC support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP name: *CbacAndArmor*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -204,7 +204,7 @@ To ensure consistent behavior, this policy setting must be supported and set ide
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *UseForestSearch*
- GP name: *ForestSearch*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -420,7 +420,7 @@ If you disable or do not configure this policy setting, the threshold value defa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Warning for large Kerberos tickets*
- GP name: *EnableTicketSizeThreshold*
- GP name: *TicketSizeThreshold*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -494,7 +494,7 @@ If you disable or do not configure this policy setting, the domain controller do
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Provide information about previous logons to client computers*
- GP name: *EmitLILI*
- GP name: *emitlili*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*

8
windows/client-management/mdm/policy-csp-admx-lanmanserver.md
View File

@ -116,7 +116,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Cipher suite order*
- GP name: *CipherSuiteOrder*
- GP name: *Pol_CipherSuiteOrder*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -199,7 +199,7 @@ In circumstances where this policy setting is enabled, you can also select the f
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Hash Publication for BranchCache*
- GP name: *HashPublicationForPeerCaching*
- GP name: *Pol_HashPublication*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -286,7 +286,7 @@ Hash version supported:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Hash Version support for BranchCache*
- GP name: *HashSupportVersion*
- GP name: *Pol_HashSupportVersion*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -358,7 +358,7 @@ If you disable or do not configure this policy setting, the SMB server will sele
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Honor cipher suite order*
- GP name: *HonorCipherSuiteOrder*
- GP name: *Pol_HonorCipherSuiteOrder*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*

4
windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
View File

@ -96,7 +96,7 @@ If you disable or do not configure this policy setting, the default behavior of
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on Mapper I/O (LLTDIO) driver*
- GP name: *EnableLLTDIO*
- GP name: *LLTD_EnableLLTDIO*
- GP path: *Network/Link-Layer Topology Discovery*
- GP ADMX file name: *LinkLayerTopologyDiscovery.admx*
@ -167,7 +167,7 @@ If you disable or do not configure this policy setting, the default behavior for
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on Responder (RSPNDR) driver*
- GP name: *EnableRspndr*
- GP name: *LLTD_EnableRspndr*
- GP path: *Network/Link-Layer Topology Discovery*
- GP ADMX file name: *LinkLayerTopologyDiscovery.admx*

10
windows/client-management/mdm/policy-csp-admx-mmc.md
View File

@ -113,7 +113,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *ActiveX Control*
- GP name: *Restrict_Run*
- GP name: *MMC_ActiveXControl*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMC.admx*
@ -192,7 +192,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Extended View (Web View)*
- GP name: *Restrict_Run*
- GP name: *MMC_ExtendView*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMC.admx*
@ -271,7 +271,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Link to Web Address*
- GP name: *Restrict_Run*
- GP name: *MMC_LinkToWeb*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMC.admx*
@ -344,7 +344,7 @@ If you disable this setting or do not configure it, users can enter author mode
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict the user from entering author mode*
- GP name: *RestrictAuthorMode*
- GP name: *MMC_Restrict_Author*
- GP path: *Windows Components\Microsoft Management Console*
- GP ADMX file name: *MMC.admx*
@ -422,7 +422,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict users to the explicitly permitted list of snap-ins*
- GP name: *RestrictToPermittedSnapins*
- GP name: *MMC_Restrict_To_Permitted_Snapins*
- GP path: *Windows Components\Microsoft Management Console*
- GP ADMX file name: *MMC.admx*

210
windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
View File

@ -408,7 +408,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Administrative Templates (Computers)*
- GP name: *Restrict_Run*
- GP name: *MMC_ADMComputers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -485,7 +485,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Administrative Templates (Computers)*
- GP name: *Restrict_Run*
- GP name: *MMC_ADMComputers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -563,7 +563,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Administrative Templates (Users)*
- GP name: *Restrict_Run*
- GP name: *MMC_ADMUsers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -641,7 +641,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Administrative Templates (Users)*
- GP name: *Restrict_Run*
- GP name: *MMC_ADMUsers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -719,7 +719,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *ADSI Edit*
- GP name: *Restrict_Run*
- GP name: *MMC_ADSI*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -797,7 +797,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Active Directory Domains and Trusts*
- GP name: *Restrict_Run*
- GP name: *MMC_ActiveDirDomTrusts*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -875,7 +875,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Active Directory Sites and Services*
- GP name: *Restrict_Run*
- GP name: *MMC_ActiveDirSitesServices*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -953,7 +953,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Active Directory Users and Computers*
- GP name: *Restrict_Run*
- GP name: *MMC_ActiveDirUsersComp*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1031,7 +1031,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *AppleTalk Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_AppleTalkRouting*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1109,7 +1109,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Authorization Manager*
- GP name: *Restrict_Run*
- GP name: *MMC_AuthMan*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1187,7 +1187,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Certification Authority*
- GP name: *Restrict_Run*
- GP name: *MMC_CertAuth*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1264,7 +1264,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Certification Authority Policy Settings*
- GP name: *Restrict_Run*
- GP name: *MMC_CertAuthPolSet*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1341,7 +1341,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Certificates*
- GP name: *Restrict_Run*
- GP name: *MMC_Certs*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1418,7 +1418,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Certificate Templates*
- GP name: *Restrict_Run*
- GP name: *MMC_CertsTemplate*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1495,7 +1495,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Component Services*
- GP name: *Restrict_Run*
- GP name: *MMC_ComponentServices*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1572,7 +1572,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Computer Management*
- GP name: *Restrict_Run*
- GP name: *MMC_ComputerManagement*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1649,7 +1649,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Connection Sharing (NAT)*
- GP name: *Restrict_Run*
- GP name: *MMC_ConnectionSharingNAT*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1726,7 +1726,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *DCOM Configuration Extension*
- GP name: *Restrict_Run*
- GP name: *MMC_DCOMCFG*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1803,7 +1803,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Distributed File System*
- GP name: *Restrict_Run*
- GP name: *MMC_DFS*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1880,7 +1880,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *DHCP Relay Management*
- GP name: *Restrict_Run*
- GP name: *MMC_DHCPRelayMgmt*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -1957,7 +1957,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Device Manager*
- GP name: *Restrict_Run*
- GP name: *MMC_DeviceManager_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2034,7 +2034,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Device Manager*
- GP name: *Restrict_Run*
- GP name: *MMC_DeviceManager_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2111,7 +2111,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disk Defragmenter*
- GP name: *Restrict_Run*
- GP name: *MMC_DiskDefrag*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2188,7 +2188,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disk Management*
- GP name: *Restrict_Run*
- GP name: *MMC_DiskMgmt*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2265,7 +2265,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enterprise PKI*
- GP name: *Restrict_Run*
- GP name: *MMC_EnterprisePKI*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2342,7 +2342,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Event Viewer*
- GP name: *Restrict_Run*
- GP name: *MMC_EventViewer_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2419,7 +2419,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Event Viewer (Windows Vista)*
- GP name: *Restrict_Run*
- GP name: *MMC_EventViewer_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2496,7 +2496,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Event Viewer*
- GP name: *Restrict_Run*
- GP name: *MMC_EventViewer_3*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2573,7 +2573,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Event Viewer (Windows Vista)*
- GP name: *Restrict_Run*
- GP name: *MMC_EventViewer_4*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2651,7 +2651,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Event Viewer (Windows Vista)*
- GP name: *Restrict_Run*
- GP name: *MMC_EventViewer_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2728,7 +2728,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *FAX Service*
- GP name: *Restrict_Run*
- GP name: *MMC_FAXService*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2805,7 +2805,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Failover Clusters Manager*
- GP name: *Restrict_Run*
- GP name: *MMC_FailoverClusters*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -2882,7 +2882,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Folder Redirection*
- GP name: *Restrict_Run*
- GP name: *MMC_FolderRedirection_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -2959,7 +2959,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Folder Redirection*
- GP name: *Restrict_Run*
- GP name: *MMC_FolderRedirection_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -3036,7 +3036,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *FrontPage Server Extensions*
- GP name: *Restrict_Run*
- GP name: *MMC_FrontPageExt*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -3113,7 +3113,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Group Policy Management*
- GP name: *Restrict_Run*
- GP name: *MMC_GroupPolicyManagementSnapIn*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy*
- GP ADMX file name: *MMCSnapins.admx*
@ -3190,7 +3190,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Group Policy Object Editor*
- GP name: *Restrict_Run*
- GP name: *MMC_GroupPolicySnapIn*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy*
- GP ADMX file name: *MMCSnapins.admx*
@ -3269,7 +3269,7 @@ When the Group Policy tab is inaccessible, it does not appear in the site, domai
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Group Policy tab for Active Directory Tools*
- GP name: *Restrict_Run*
- GP name: *MMC_GroupPolicyTab*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy*
- GP ADMX file name: *MMCSnapins.admx*
@ -3346,7 +3346,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Health Registration Authority (HRA)*
- GP name: *Restrict_Run*
- GP name: *MMC_HRA*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -3423,7 +3423,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Internet Authentication Service (IAS)*
- GP name: *Restrict_Run*
- GP name: *MMC_IAS*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -3500,7 +3500,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IAS Logging*
- GP name: *Restrict_Run*
- GP name: *MMC_IASLogging*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -3577,7 +3577,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Internet Explorer Maintenance*
- GP name: *Restrict_Run*
- GP name: *MMC_IEMaintenance_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -3654,7 +3654,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Internet Explorer Maintenance*
- GP name: *Restrict_Run*
- GP name: *MMC_IEMaintenance_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -3731,7 +3731,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IGMP Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_IGMPRouting*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -3808,7 +3808,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Internet Information Services*
- GP name: *Restrict_Run*
- GP name: *MMC_IIS*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -3885,7 +3885,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IP Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_IPRouting*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -3962,7 +3962,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IP Security Policy Management*
- GP name: *Restrict_Run*
- GP name: *MMC_IPSecManage_GP*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -4039,7 +4039,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IPX RIP Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_IPXRIPRouting*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4116,7 +4116,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IPX Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_IPXRouting*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4193,7 +4193,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IPX SAP Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_IPXSAPRouting*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4270,7 +4270,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Indexing Service*
- GP name: *Restrict_Run*
- GP name: *MMC_IndexingService*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4347,7 +4347,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IP Security Policy Management*
- GP name: *Restrict_Run*
- GP name: *MMC_IpSecManage*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4424,7 +4424,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IP Security Monitor*
- GP name: *Restrict_Run*
- GP name: *MMC_IpSecMonitor*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4501,7 +4501,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Local Users and Groups*
- GP name: *Restrict_Run*
- GP name: *MMC_LocalUsersGroups*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4578,7 +4578,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Logical and Mapped Drives*
- GP name: *Restrict_Run*
- GP name: *MMC_LogicalMappedDrives*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4655,7 +4655,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Network Policy Server (NPS)*
- GP name: *Restrict_Run*
- GP name: *MMC_NPSUI*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4732,7 +4732,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *NAP Client Configuration*
- GP name: *Restrict_Run*
- GP name: *MMC_NapSnap*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4809,7 +4809,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *NAP Client Configuration*
- GP name: *Restrict_Run*
- GP name: *MMC_NapSnap_GP*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -4886,7 +4886,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *.Net Framework Configuration*
- GP name: *Restrict_Run*
- GP name: *MMC_Net_Framework*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4963,7 +4963,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Online Responder*
- GP name: *Restrict_Run*
- GP name: *MMC_OCSP*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5040,7 +5040,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *OSPF Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_OSPFRouting*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5117,7 +5117,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Performance Logs and Alerts*
- GP name: *Restrict_Run*
- GP name: *MMC_PerfLogsAlerts*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5194,7 +5194,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Public Key Policies*
- GP name: *Restrict_Run*
- GP name: *MMC_PublicKey*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5271,7 +5271,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *QoS Admission Control*
- GP name: *Restrict_Run*
- GP name: *MMC_QoSAdmission*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5348,7 +5348,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *RAS Dialin - User Node*
- GP name: *Restrict_Run*
- GP name: *MMC_RAS_DialinUser*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5425,7 +5425,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *RIP Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_RIPRouting*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5502,7 +5502,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remote Installation Services*
- GP name: *Restrict_Run*
- GP name: *MMC_RIS*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5579,7 +5579,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Routing and Remote Access*
- GP name: *Restrict_Run*
- GP name: *MMC_RRA*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5656,7 +5656,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Removable Storage Management*
- GP name: *Restrict_Run*
- GP name: *MMC_RSM*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5733,7 +5733,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Removable Storage*
- GP name: *Restrict_Run*
- GP name: *MMC_RemStore*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5810,7 +5810,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remote Access*
- GP name: *Restrict_Run*
- GP name: *MMC_RemoteAccess*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5887,7 +5887,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remote Desktops*
- GP name: *Restrict_Run*
- GP name: *MMC_RemoteDesktop*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5964,7 +5964,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Resultant Set of Policy snap-in*
- GP name: *Restrict_Run*
- GP name: *MMC_ResultantSetOfPolicySnapIn*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy*
- GP ADMX file name: *MMCSnapins.admx*
@ -6041,7 +6041,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Routing*
- GP name: *Restrict_Run*
- GP name: *MMC_Routing*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -6118,7 +6118,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Configuration and Analysis*
- GP name: *Restrict_Run*
- GP name: *MMC_SCA*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -6195,7 +6195,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *SMTP Protocol*
- GP name: *Restrict_Run*
- GP name: *MMC_SMTPProtocol*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -6272,7 +6272,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *SNMP*
- GP name: *Restrict_Run*
- GP name: *MMC_SNMP*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -6349,7 +6349,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scripts (Startup/Shutdown)*
- GP name: *Restrict_Run*
- GP name: *MMC_ScriptsMachine_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -6426,7 +6426,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scripts (Startup/Shutdown)*
- GP name: *Restrict_Run*
- GP name: *MMC_ScriptsMachine_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -6503,7 +6503,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scripts (Logon/Logoff)*
- GP name: *Restrict_Run*
- GP name: *MMC_ScriptsUser_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -6580,7 +6580,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scripts (Logon/Logoff)*
- GP name: *Restrict_Run*
- GP name: *MMC_ScriptsUser_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -6657,7 +6657,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Settings*
- GP name: *Restrict_Run*
- GP name: *MMC_SecuritySettings_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -6734,7 +6734,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Settings*
- GP name: *Restrict_Run*
- GP name: *MMC_SecuritySettings_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -6811,7 +6811,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Templates*
- GP name: *Restrict_Run*
- GP name: *MMC_SecurityTemplates*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -6888,7 +6888,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Send Console Message*
- GP name: *Restrict_Run*
- GP name: *MMC_SendConsoleMessage*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -6965,7 +6965,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Server Manager*
- GP name: *Restrict_Run*
- GP name: *MMC_ServerManager*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7042,7 +7042,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Service Dependencies*
- GP name: *Restrict_Run*
- GP name: *MMC_ServiceDependencies*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7119,7 +7119,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Services*
- GP name: *Restrict_Run*
- GP name: *MMC_Services*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7196,7 +7196,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Shared Folders*
- GP name: *Restrict_Run*
- GP name: *MMC_SharedFolders*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7273,7 +7273,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Shared Folders Ext*
- GP name: *Restrict_Run*
- GP name: *MMC_SharedFolders_Ext*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7350,7 +7350,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Computers)*
- GP name: *Restrict_Run*
- GP name: *MMC_SoftwareInstalationComputers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -7427,7 +7427,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Computers)*
- GP name: *Restrict_Run*
- GP name: *MMC_SoftwareInstalationComputers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -7504,7 +7504,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Users)*
- GP name: *Restrict_Run*
- GP name: *MMC_SoftwareInstallationUsers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -7581,7 +7581,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Users)*
- GP name: *Restrict_Run*
- GP name: *MMC_SoftwareInstallationUsers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -7658,7 +7658,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *System Information*
- GP name: *Restrict_Run*
- GP name: *MMC_SysInfo*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7735,7 +7735,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *System Properties*
- GP name: *Restrict_Run*
- GP name: *MMC_SysProp*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7812,7 +7812,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *TPM Management*
- GP name: *Restrict_Run*
- GP name: *MMC_TPMManagement*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7889,7 +7889,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Telephony*
- GP name: *Restrict_Run*
- GP name: *MMC_Telephony*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -7966,7 +7966,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remote Desktop Services Configuration*
- GP name: *Restrict_Run*
- GP name: *MMC_TerminalServices*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -8043,7 +8043,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *WMI Control*
- GP name: *Restrict_Run*
- GP name: *MMC_WMI*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -8120,7 +8120,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Windows Firewall with Advanced Security*
- GP name: *Restrict_Run*
- GP name: *MMC_WindowsFirewall*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -8197,7 +8197,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Windows Firewall with Advanced Security*
- GP name: *Restrict_Run*
- GP name: *MMC_WindowsFirewall_GP*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -8274,7 +8274,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wired Network (IEEE 802.3) Policies*
- GP name: *Restrict_Run*
- GP name: *MMC_WiredNetworkPolicy*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -8351,7 +8351,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wireless Monitor*
- GP name: *Restrict_Run*
- GP name: *MMC_WirelessMon*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -8428,7 +8428,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wireless Network (IEEE 802.11) Policies*
- GP name: *Restrict_Run*
- GP name: *MMC_WirelessNetworkPolicy*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*

2
windows/client-management/mdm/policy-csp-admx-msapolicy.md
View File

@ -93,7 +93,7 @@ By default, this setting is Disabled. This setting does not affect whether users
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Block all consumer Microsoft account user authentication*
- GP name: *DisableUserAuth*
- GP name: *MicrosoftAccount_DisableUserAuth*
- GP path: *Windows Components\Microsoft account*
- GP ADMX file name: *MSAPolicy.admx*

8
windows/client-management/mdm/policy-csp-admx-nca.md
View File

@ -122,7 +122,7 @@ You must configure this setting to have complete NCA functionality.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Corporate Resources*
- GP name: *Probe*
- GP name: *CorporateResources*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
@ -187,7 +187,7 @@ Available in Windows 10 Insider Preview Build 20185. This policy setting specifi
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Custom Commands*
- GP name: *CustomCommand*
- GP name: *CustomCommands*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
@ -258,7 +258,7 @@ You must configure this setting to have complete NCA functionality.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *IPsec Tunnel Endpoints*
- GP name: *DTE*
- GP name: *DTEs*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*
@ -401,7 +401,7 @@ If this setting is not configured, users do not have Connect or Disconnect optio
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prefer Local Names Allowed*
- GP name: *NamePreferenceAllowed*
- GP name: *LocalNamesOn*
- GP path: *Network\DirectAccess Client Experience Settings*
- GP ADMX file name: *nca.admx*

14
windows/client-management/mdm/policy-csp-admx-ncsi.md
View File

@ -105,7 +105,7 @@ Available in Windows 10 Insider Preview Build 20185. This policy setting enable
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify corporate DNS probe host address*
- GP name: *DnsProbeContent*
- GP name: *NCSI_CorpDnsProbeContent*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
@ -170,7 +170,7 @@ Available in Windows 10 Insider Preview Build 20185. This policy setting enables
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify corporate DNS probe host name*
- GP name: *DnsProbeHost*
- GP name: *NCSI_CorpDnsProbeHost*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
@ -235,7 +235,7 @@ Available in Windows 10 Insider Preview Build 20185. This policy setting enables
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify corporate site prefix list*
- GP name: *SitePrefixes*
- GP name: *NCSI_CorpSitePrefixes*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
@ -300,7 +300,7 @@ Available in Windows 10 Insider Preview Build 20185. This policy setting enables
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify corporate Website probe URL*
- GP name: *WebProbeUrl*
- GP name: *NCSI_CorpWebProbeUrl*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
@ -368,7 +368,7 @@ Available in Windows 10 Insider Preview Build 20185. This policy setting enables
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify domain location determination URL*
- GP name: *DomainLocationDeterminationUrl*
- GP name: *NCSI_DomainLocationDeterminationUrl*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
@ -433,7 +433,7 @@ Available in Windows 10 Insider Preview Build 20185. This policy setting enables
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify global DNS*
- GP name: *UseGlobalDns*
- GP name: *NCSI_GlobalDns*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*
@ -498,7 +498,7 @@ Available in Windows 10 Insider Preview Build 20185. This Policy setting enables
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify passive polling*
- GP name: *DisablePassivePolling*
- GP name: *NCSI_PassivePolling*
- GP path: *Network\Network Connectivity Status Indicator*
- GP ADMX file name: *NCSI.admx*

70
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -201,7 +201,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify address lookup behavior for DC locator ping*
- GP name: *AddressLookupOnPingBehavior*
- GP name: *Netlogon_AddressLookupOnPingBehavior*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -274,7 +274,7 @@ If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Return domain controller address type*
- GP name: *AddressTypeReturned*
- GP name: *Netlogon_AddressTypeReturned*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -347,7 +347,7 @@ If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled.*
- GP name: *AllowDnsSuffixSearch*
- GP name: *Netlogon_AllowDnsSuffixSearch*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -422,7 +422,7 @@ If you do not configure this policy setting, Net Logon will not allow the negoti
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow cryptography algorithms compatible with Windows NT 4.0*
- GP name: *AllowNT4Crypto*
- GP name: *Netlogon_AllowNT4Crypto*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -497,7 +497,7 @@ If you do not configure this policy setting, it is not applied to any computers,
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC*
- GP name: *AllowSingleLabelDnsDomain*
- GP name: *Netlogon_AllowSingleLabelDnsDomain*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -570,7 +570,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use automated site coverage by the DC Locator DNS SRV Records*
- GP name: *AutoSiteCoverage*
- GP name: *Netlogon_AutoSiteCoverage*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -646,7 +646,7 @@ If you disable this policy setting, the DC location algorithm can use NetBIOS-ba
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails*
- GP name: *AvoidFallbackNetbiosDiscovery*
- GP name: *Netlogon_AvoidFallbackNetbiosDiscovery*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -721,7 +721,7 @@ If you do not configure this policy setting, it is not applied to any DCs.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Contact PDC on logon failure*
- GP name: *AvoidPdcOnWan*
- GP name: *Netlogon_AvoidPdcOnWan*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -799,7 +799,7 @@ If the value of this setting is less than the value specified in the NegativeCac
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use initial DC discovery retry setting for background callers*
- GP name: *BackgroundRetryInitialPeriod*
- GP name: *Netlogon_BackgroundRetryInitialPeriod*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -879,7 +879,7 @@ If the value for this setting is too small and the DC is not available, the freq
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use maximum DC discovery retry interval setting for background callers*
- GP name: *BackgroundRetryMaximumPeriod*
- GP name: *Netlogon_BackgroundRetryMaximumPeriod*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -951,7 +951,7 @@ The default value for this setting is to not quit retrying (0). The maximum valu
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use final DC discovery retry setting for background callers*
- GP name: *BackgroundRetryQuitTime*
- GP name: *Netlogon_BackgroundRetryQuitTime*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -1018,7 +1018,7 @@ Available in Windows 10 Insider Preview Build 20185. This policy setting determi
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use positive periodic DC cache refresh for background callers*
- GP name: *BackgroundSuccessfulRefreshPeriod*
- GP name: *Netlogon_BackgroundSuccessfulRefreshPeriod*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -1093,7 +1093,7 @@ If you disable this policy setting or do not configure it, the default behavior
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify log file debug output level*
- GP name: *dbFlag*
- GP name: *Netlogon_DebugFlag*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -1192,7 +1192,7 @@ If you do not configure this policy setting, DCs use their local configuration.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify DC Locator DNS records not registered by the DCs*
- GP name: *DnsAvoidRegisterRecords*
- GP name: *Netlogon_DnsAvoidRegisterRecords*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1268,7 +1268,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify Refresh Interval of the DC Locator DNS records*
- GP name: *DnsRefreshInterval*
- GP name: *Netlogon_DnsRefreshInterval*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1344,7 +1344,7 @@ A reboot is not required for changes to this setting to take effect.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use lowercase DNS host names when registering domain controller SRV records*
- GP name: *DnsSrvRecordUseLowerCaseHostNames*
- GP name: *Netlogon_DnsSrvRecordUseLowerCaseHostNames*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1414,7 +1414,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set TTL in the DC Locator DNS Records*
- GP name: *DnsTtl*
- GP name: *Netlogon_DnsTtl*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1485,7 +1485,7 @@ If you do not configure this policy setting, it is not applied to any computers,
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify expected dial-up delay on logon*
- GP name: *ExpectedDialupDelay*
- GP name: *Netlogon_ExpectedDialupDelay*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -1560,7 +1560,7 @@ If you do not configure this policy setting, Force Rediscovery will be used by d
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Force Rediscovery Interval*
- GP name: *ForceRediscoveryInterval*
- GP name: *Netlogon_ForceRediscoveryInterval*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1633,7 +1633,7 @@ If you do not configure this policy setting, it is not applied to any GCs, and G
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify sites covered by the GC Locator DNS SRV Records*
- GP name: *GcSiteCoverage*
- GP name: *Netlogon_GcSiteCoverage*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1709,7 +1709,7 @@ If you disable or do not configure this policy setting, this DC processes incomi
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names*
- GP name: *IgnoreIncomingMailslotMessages*
- GP name: *Netlogon_IgnoreIncomingMailslotMessages*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1782,7 +1782,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set Priority in the DC Locator DNS SRV records*
- GP name: *LdapSrvPriority*
- GP name: *Netlogon_LdapSrvPriority*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1855,7 +1855,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set Weight in the DC Locator DNS SRV records*
- GP name: *LdapSrvWeight*
- GP name: *Netlogon_LdapSrvWeight*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -1926,7 +1926,7 @@ If you disable or do not configure this policy setting, the default behavior occ
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum log file size*
- GP name: *MaximumLogFileSize*
- GP name: *Netlogon_MaximumLogFileSize*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -1999,7 +1999,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify sites covered by the application directory partition DC Locator DNS SRV records*
- GP name: *NdncSiteCoverage*
- GP name: *Netlogon_NdncSiteCoverage*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -2071,7 +2071,7 @@ The default value for this setting is 45 seconds. The maximum value for this set
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify negative DC Discovery cache setting*
- GP name: *NegativeCachePeriod*
- GP name: *Netlogon_NegativeCachePeriod*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -2149,7 +2149,7 @@ If you enable this policy setting, domain administrators should ensure that the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set Netlogon share compatibility*
- GP name: *AllowExclusiveScriptsShareAccess*
- GP name: *Netlogon_NetlogonShareCompatibilityMode*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -2218,7 +2218,7 @@ The default value for this setting is 30 minutes (1800). The maximum value for t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify positive periodic DC Cache refresh for non-background callers*
- GP name: *NonBackgroundSuccessfulRefreshPeriod*
- GP name: *Netlogon_NonBackgroundSuccessfulRefreshPeriod*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -2296,7 +2296,7 @@ If you do not configure this policy setting, it is not applied to any computers,
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use urgent mode when pinging domain controllers*
- GP name: *PingUrgencyMode*
- GP name: *Netlogon_PingUrgencyMode*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -2373,7 +2373,7 @@ To enable the setting, click Enabled, and then specify the interval in seconds.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set scavenge interval*
- GP name: *ScavengeInterval*
- GP name: *Netlogon_ScavengeInterval*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -2446,7 +2446,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify sites covered by the DC Locator DNS SRV records*
- GP name: *SiteCoverage*
- GP name: *Netlogon_SiteCoverage*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -2519,7 +2519,7 @@ If you do not configure this policy setting, it is not applied to any computers,
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify site name*
- GP name: *SiteName*
- GP name: *Netlogon_SiteName*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -2597,7 +2597,7 @@ If you enable this policy setting, domain administrators should ensure that the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set SYSVOL share compatibility*
- GP name: *AllowExclusiveSysvolShareAccess*
- GP name: *Netlogon_SysvolShareCompatibilityMode*
- GP path: *System\Net Logon*
- GP ADMX file name: *Netlogon.admx*
@ -2672,7 +2672,7 @@ If you do not configure this policy setting, Try Next Closest Site DC Location w
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Try Next Closest Site*
- GP name: *TryNextClosestSite*
- GP name: *Netlogon_TryNextClosestSite*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*
@ -2745,7 +2745,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify dynamic registration of the DC Locator DNS Records*
- GP name: *UseDynamicDns*
- GP name: *Netlogon_UseDynamicDns*
- GP path: *System\Net Logon\DC Locator DNS Records*
- GP ADMX file name: *Netlogon.admx*

94
windows/client-management/mdm/policy-csp-admx-offlinefiles.md
View File

@ -228,7 +228,7 @@ If you disable this setting or do not configure it, the system asks users whethe
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Subfolders always available offline*
- GP name: *AlwaysPinSubFolders*
- GP name: *Pol_AlwaysPinSubFolders*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -302,7 +302,7 @@ If you do not configure this policy setting, no files or folders are made availa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify administratively assigned Offline Files*
- GP name: *AssignedOfflineFolders*
- GP name: *Pol_AssignedOfflineFiles_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -376,7 +376,7 @@ If you do not configure this policy setting, no files or folders are made availa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify administratively assigned Offline Files*
- GP name: *AssignedOfflineFolders*
- GP name: *Pol_AssignedOfflineFiles_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -447,7 +447,7 @@ If you disable or do not configure this policy setting, Windows performs a backg
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Background Sync*
- GP name: *BackgroundSyncEnabled*
- GP name: *Pol_BackgroundSyncSettings*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -528,7 +528,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Limit disk space used by Offline Files*
- GP name: *CacheQuotaLimitUnpinned*
- GP name: *Pol_CacheSize*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -612,7 +612,7 @@ Also, see the "Non-default server disconnect actions" setting.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Action on server disconnect*
- GP name: *GoOfflineAction*
- GP name: *Pol_CustomGoOfflineActions_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -696,7 +696,7 @@ Also, see the "Non-default server disconnect actions" setting.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Action on server disconnect*
- GP name: *GoOfflineAction*
- GP name: *Pol_CustomGoOfflineActions_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -776,7 +776,7 @@ If you do not configure this setting, disk space for automatically cached files
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Default cache size*
- GP name: *DefCacheSize*
- GP name: *Pol_DefCacheSize*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -850,7 +850,7 @@ If you do not configure this policy setting, Offline Files is enabled on Windows
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow or Disallow use of the Offline Files feature*
- GP name: *Enabled*
- GP name: *Pol_Enabled*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -927,7 +927,7 @@ This setting is applied at user logon. If this setting is changed after user log
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Encrypt the Offline Files cache*
- GP name: *EncryptCache*
- GP name: *Pol_EncryptOfflineFiles*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1007,7 +1007,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Event logging level*
- GP name: *EventLoggingLevel*
- GP name: *Pol_EventLoggingLevel_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1087,7 +1087,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Event logging level*
- GP name: *EventLoggingLevel*
- GP name: *Pol_EventLoggingLevel_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1156,7 +1156,7 @@ If you disable or do not configure this policy setting, a user can create a file
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable file screens*
- GP name: *ExcludedFileTypes*
- GP name: *Pol_ExclusionListSettings*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1230,7 +1230,7 @@ To use this setting, type the file name extension in the "Extensions" box. To ty
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Files not cached*
- GP name: *ExcludeExtensions*
- GP name: *Pol_ExtExclusionList*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1314,7 +1314,7 @@ Also, see the "Non-default server disconnect actions" setting.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Action on server disconnect*
- GP name: *GoOfflineAction*
- GP name: *Pol_GoOfflineAction_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1398,7 +1398,7 @@ Also, see the "Non-default server disconnect actions" setting.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Action on server disconnect*
- GP name: *GoOfflineAction*
- GP name: *Pol_GoOfflineAction_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1472,7 +1472,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent use of Offline Files folder*
- GP name: *NoCacheViewer*
- GP name: *Pol_NoCacheViewer_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1546,7 +1546,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent use of Offline Files folder*
- GP name: *NoCacheViewer*
- GP name: *Pol_NoCacheViewer_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1620,7 +1620,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prohibit user configuration of Offline Files*
- GP name: *NoConfigCache*
- GP name: *Pol_NoConfigCache_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1694,7 +1694,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prohibit user configuration of Offline Files*
- GP name: *NoConfigCache*
- GP name: *Pol_NoConfigCache_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1767,7 +1767,7 @@ If you disable or do not configure this policy setting, users can manually speci
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove "Make Available Offline" command*
- GP name: *NoMakeAvailableOffline*
- GP name: *Pol_NoMakeAvailableOffline_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1840,7 +1840,7 @@ If you disable or do not configure this policy setting, users can manually speci
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove "Make Available Offline" command*
- GP name: *NoMakeAvailableOffline*
- GP name: *Pol_NoMakeAvailableOffline_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1917,7 +1917,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove "Make Available Offline" for these files and folders*
- GP name: *NoMakeAvailableOfflineList*
- GP name: *Pol_NoPinFiles_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -1994,7 +1994,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove "Make Available Offline" for these files and folders*
- GP name: *NoMakeAvailableOfflineList*
- GP name: *Pol_NoPinFiles_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2074,7 +2074,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off reminder balloons*
- GP name: *NoReminders*
- GP name: *Pol_NoReminders_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2154,7 +2154,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off reminder balloons*
- GP name: *NoReminders*
- GP name: *Pol_NoReminders_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2227,7 +2227,7 @@ If you disable or do not configure this policy setting, remote files will be not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable Transparent Caching*
- GP name: *OnlineCachingLatencyThreshold*
- GP name: *Pol_OnlineCachingSettings*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2298,7 +2298,7 @@ If you disable this setting or do not configure it, the system asks users whethe
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Subfolders always available offline*
- GP name: *AlwaysPinSubFolders*
- GP name: *Pol_AlwaysPinSubFolders*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2370,7 +2370,7 @@ If you disable this setting or do not configure it, automatically and manually c
<!--ADMXBacked-->
ADMX Info:
- GP English name: *At logoff, delete local copy of users offline files*
- GP name: *PurgeOnlyAutoCacheAtLogoff*
- GP name: *Pol_PurgeAtLogoff*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2439,7 +2439,7 @@ If you disable this policy setting, all administratively assigned folders are sy
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on economical application of administratively assigned Offline Files*
- GP name: *EconomicalAdminPinning*
- GP name: *Pol_QuickAdimPin*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2513,7 +2513,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Reminder balloon frequency*
- GP name: *ReminderFreqMinutes*
- GP name: *Pol_ReminderFreq_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2587,7 +2587,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Reminder balloon frequency*
- GP name: *ReminderFreqMinutes*
- GP name: *Pol_ReminderFreq_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2656,7 +2656,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Initial reminder balloon lifetime*
- GP name: *InitialBalloonTimeoutSeconds*
- GP name: *Pol_ReminderInitTimeout_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2725,7 +2725,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Initial reminder balloon lifetime*
- GP name: *InitialBalloonTimeoutSeconds*
- GP name: *Pol_ReminderInitTimeout_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2794,7 +2794,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Reminder balloon lifetime*
- GP name: *ReminderBalloonTimeoutSeconds*
- GP name: *Pol_ReminderTimeout_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2863,7 +2863,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Reminder balloon lifetime*
- GP name: *ReminderBalloonTimeoutSeconds*
- GP name: *Pol_ReminderTimeout_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -2942,7 +2942,7 @@ If you disable this policy setting, computers will not use the slow-link mode.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure slow-link mode*
- GP name: *SlowLinkEnabled*
- GP name: *Pol_SlowLinkSettings*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3016,7 +3016,7 @@ If this setting is disabled or not configured, the default threshold value of 64
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Slow link speed*
- GP name: *SlowLinkSpeed*
- GP name: *Pol_SlowLinkSpeed*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3094,7 +3094,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Synchronize all offline files before logging off*
- GP name: *SyncAtLogoff*
- GP name: *Pol_SyncAtLogoff_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3172,7 +3172,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Synchronize all offline files before logging off*
- GP name: *SyncAtLogoff*
- GP name: *Pol_SyncAtLogoff_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3250,7 +3250,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Synchronize all offline files when logging on*
- GP name: *SyncAtLogon*
- GP name: *Pol_SyncAtLogon_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3330,7 +3330,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Synchronize all offline files when logging on*
- GP name: *SyncAtLogon*
- GP name: *Pol_SyncAtLogon_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3402,7 +3402,7 @@ If you disable or do not configuring this setting, files are not synchronized wh
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Synchronize offline files before suspend*
- GP name: *SyncAtSuspend*
- GP name: *Pol_SyncAtSuspend_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3474,7 +3474,7 @@ If you disable or do not configuring this setting, files are not synchronized wh
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Synchronize offline files before suspend*
- GP name: *SyncAtSuspend*
- GP name: *Pol_SyncAtSuspend_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3543,7 +3543,7 @@ If this setting is disabled or not configured, synchronization will not run in t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable file synchronization on costed networks*
- GP name: *SyncEnabledForCostedNetwork*
- GP name: *Pol_SyncOnCostedNetwork*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3612,7 +3612,7 @@ If you disable or do not configure this policy setting, the "Work offline" comma
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove "Work offline" command*
- GP name: *WorkOfflineDisabled*
- GP name: *Pol_WorkOfflineDisabled_1*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*
@ -3681,7 +3681,7 @@ If you disable or do not configure this policy setting, the "Work offline" comma
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove "Work offline" command*
- GP name: *WorkOfflineDisabled*
- GP name: *Pol_WorkOfflineDisabled_2*
- GP path: *Network\Offline Files*
- GP ADMX file name: *OfflineFiles.admx*

18
windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
View File

@ -125,7 +125,7 @@ Select one of the following:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on BranchCache*
- GP name: *Enable*
- GP name: *EnableWindowsBranchCache*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
@ -203,7 +203,7 @@ Select one of the following:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set BranchCache Distributed Cache mode*
- GP name: *Enable*
- GP name: *EnableWindowsBranchCache_Distributed*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
@ -287,7 +287,7 @@ Hosted cache clients must trust the server certificate that is issued to the hos
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set BranchCache Hosted Cache mode*
- GP name: *Location*
- GP name: *EnableWindowsBranchCache_Hosted*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
@ -374,7 +374,7 @@ Select one of the following:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable Automatic Hosted Cache Discovery by Service Connection Point*
- GP name: *SCPDiscoveryEnabled*
- GP name: *EnableWindowsBranchCache_HostedCacheDiscovery*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
@ -457,7 +457,7 @@ In circumstances where this setting is enabled, you can also select and configur
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Hosted Cache Servers*
- GP name: *MultipleServers*
- GP name: *EnableWindowsBranchCache_HostedMultipleServers*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
@ -534,7 +534,7 @@ In circumstances where this policy setting is enabled, you can also select and c
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure BranchCache for network files*
- GP name: *PeerCachingLatencyThreshold*
- GP name: *EnableWindowsBranchCache_SMB*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
@ -618,7 +618,7 @@ In circumstances where this setting is enabled, you can also select and configur
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set percentage of disk space used for client computer cache*
- GP name: *SizePercent*
- GP name: *SetCachePercent*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
@ -699,7 +699,7 @@ In circumstances where this setting is enabled, you can also select and configur
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set age for segments in the data cache*
- GP name: *SegmentTTL*
- GP name: *SetDataCacheEntryMaxAge*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*
@ -783,7 +783,7 @@ Select from the following versions
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Client BranchCache Version Support*
- GP name: *PreferredContentInformationVersion*
- GP name: *SetDowngrading*
- GP path: *Network\BranchCache*
- GP ADMX file name: *PeerToPeerCaching.admx*

8
windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
View File

@ -108,7 +108,7 @@ This policy setting will only take effect when the Diagnostic Policy Service is
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Scenario Execution Level*
- GP name: *ScenarioExecutionEnabled*
- GP name: *WdiScenarioExecutionPolicy_1*
- GP path: *System\Troubleshooting and Diagnostics\Windows Boot Performance Diagnostics*
- GP ADMX file name: *PerformanceDiagnostics.admx*
@ -185,7 +185,7 @@ This policy setting will only take effect when the Diagnostic Policy Service is
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Scenario Execution Level*
- GP name: *ScenarioExecutionEnabled*
- GP name: *WdiScenarioExecutionPolicy_2*
- GP path: *System\Troubleshooting and Diagnostics\Windows System Responsiveness Performance Diagnostics*
- GP ADMX file name: *PerformanceDiagnostics.admx*
@ -262,7 +262,7 @@ This policy setting will only take effect when the Diagnostic Policy Service is
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Scenario Execution Level*
- GP name: *ScenarioExecutionEnabled*
- GP name: *WdiScenarioExecutionPolicy_3*
- GP path: *System\Troubleshooting and Diagnostics\Windows Shutdown Performance Diagnostics*
- GP ADMX file name: *PerformanceDiagnostics.admx*
@ -339,7 +339,7 @@ This policy setting will only take effect when the Diagnostic Policy Service is
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Scenario Execution Level*
- GP name: *ScenarioExecutionEnabled*
- GP name: *WdiScenarioExecutionPolicy_4*
- GP path: *System\Troubleshooting and Diagnostics\Windows Standby/Resume Performance Diagnostics*
- GP ADMX file name: *PerformanceDiagnostics.admx*

8
windows/client-management/mdm/policy-csp-admx-reliability.md
View File

@ -105,7 +105,7 @@ If you do not configure this policy setting, the Persistent System Timestamp is
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable Persistent Time Stamp*
- GP name: *TimeStampEnabled*
- GP name: *EE_EnablePersistentTimeStamp*
- GP path: *System*
- GP ADMX file name: *Reliability.admx*
@ -180,7 +180,7 @@ Also see the "Configure Error Reporting" policy setting.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Report unplanned shutdown events*
- GP name: *IncludeShutdownErrs*
- GP name: *PCH_ReportShutdownEvents*
- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
- GP ADMX file name: *Reliability.admx*
@ -258,7 +258,7 @@ If you do not configure this policy setting, the default behavior for the System
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Activate Shutdown Event Tracker System State Data feature*
- GP name: *SnapShot*
- GP name: *ShutdownEventTrackerStateFile*
- GP path: *System*
- GP ADMX file name: *Reliability.admx*
@ -338,7 +338,7 @@ If you do not configure this policy setting, the default behavior for the Shutdo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display Shutdown Event Tracker*
- GP name: *ShutdownReasonOn*
- GP name: *ShutdownReason*
- GP path: *System*
- GP ADMX file name: *Reliability.admx*

24
windows/client-management/mdm/policy-csp-admx-scripts.md
View File

@ -124,7 +124,7 @@ If you disable or do not configure this policy setting, user account cross-fores
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow logon scripts when NetBIOS or WINS is disabled*
- GP name: *Allow-LogonScript-NetbiosDisabled*
- GP name: *Allow_Logon_Script_NetbiosDisabled*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -199,7 +199,7 @@ If you disable or do not configure this setting the system lets the combined set
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum wait time for Group Policy scripts*
- GP name: *MaxGPOScriptWait*
- GP name: *MaxGPOScriptWaitPolicy*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -291,7 +291,7 @@ Within GPO C: C.cmd, C.ps1
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run Windows PowerShell scripts first at computer startup, shutdown*
- GP name: *RunComputerPSScriptsFirst*
- GP name: *Run_Computer_PS_Scripts_First*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -364,7 +364,7 @@ Also, see the "Run Logon Scripts Visible" setting.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run legacy logon scripts hidden*
- GP name: *HideLegacyLogonScripts*
- GP name: *Run_Legacy_Logon_Script_Hidden*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -435,7 +435,7 @@ If you disable or do not configure this policy setting, the instructions are sup
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display instructions in logoff scripts as they run*
- GP name: *HideLogoffScripts*
- GP name: *Run_Logoff_Script_Visible*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -506,7 +506,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run logon scripts synchronously*
- GP name: *RunLogonScriptSync*
- GP name: *Run_Logon_Script_Sync_1*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -577,7 +577,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run logon scripts synchronously*
- GP name: *RunLogonScriptSync*
- GP name: *Run_Logon_Script_Sync_2*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -648,7 +648,7 @@ If you disable or do not configure this policy setting, the instructions are sup
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display instructions in logon scripts as they run*
- GP name: *HideLogonScripts*
- GP name: *Run_Logon_Script_Visible*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -719,7 +719,7 @@ If you disable or do not configure this policy setting, the instructions are sup
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display instructions in shutdown scripts as they run*
- GP name: *HideShutdownScripts*
- GP name: *Run_Shutdown_Script_Visible*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -793,7 +793,7 @@ If you disable or do not configure this policy setting, a startup cannot run unt
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run startup scripts asynchronously*
- GP name: *RunStartupScriptSync*
- GP name: *Run_Startup_Script_Sync*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -867,7 +867,7 @@ If you disable or do not configure this policy setting, the instructions are sup
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display instructions in startup scripts as they run*
- GP name: *HideStartupScripts*
- GP name: *Run_Startup_Script_Visible*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*
@ -962,7 +962,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run Windows PowerShell scripts first at user logon, logoff*
- GP name: *RunUserPSScriptsFirst*
- GP name: *Run_User_PS_Scripts_First*
- GP path: *System\Scripts*
- GP ADMX file name: *Scripts.admx*

6
windows/client-management/mdm/policy-csp-admx-sdiageng.md
View File

@ -97,7 +97,7 @@ If you disable this policy setting, users can only access and search troubleshoo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)*
- GP name: *EnableQueryRemoteServer*
- GP name: *BetterWhenConnected*
- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics*
- GP ADMX file name: *sdiageng.admx*
@ -168,7 +168,7 @@ Note that this setting also controls a user's ability to launch standalone troub
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Troubleshooting: Allow users to access and run Troubleshooting Wizards*
- GP name: *EnableDiagnostics*
- GP name: *ScriptedDiagnosticsExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics*
- GP ADMX file name: *sdiageng.admx*
@ -237,7 +237,7 @@ If you disable or do not configure this policy setting, the scripted diagnostics
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Security Policy for Scripted Diagnostics*
- GP name: *ValidateTrust*
- GP name: *ScriptedDiagnosticsSecurityPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics*
- GP ADMX file name: *sdiageng.admx*

2
windows/client-management/mdm/policy-csp-admx-securitycenter.md
View File

@ -103,7 +103,7 @@ In Windows Vista, this policy setting monitors essential security settings to in
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on Security Center (Domain PCs only)*
- GP name: *SecurityCenterInDomain*
- GP name: *SecurityCenter_SecurityCenterInDomain*
- GP path: *Windows Components\Security Center*
- GP ADMX file name: *Securitycenter.admx*

2
windows/client-management/mdm/policy-csp-admx-servicing.md
View File

@ -93,7 +93,7 @@ If you disable or do not configure this policy setting, or if the required files
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify settings for optional component installation and component repair*
- GP name: *RepairContentServerSource*
- GP name: *Servicing*
- GP path: *System*
- GP ADMX file name: *Servicing.admx*

6
windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
View File

@ -174,7 +174,7 @@ To prevent users from using other administrative tools, use the "Run only specif
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent access to registry editing tools*
- GP name: *DisableRegistryTools*
- GP name: *DisableRegedit*
- GP path: *System*
- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
@ -250,7 +250,7 @@ This policy setting only prevents users from running programs that are started b
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Don't run specified Windows applications*
- GP name: *DisallowRun*
- GP name: *DisallowApps*
- GP path: *System*
- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*
@ -325,7 +325,7 @@ This policy setting only prevents users from running programs that are started b
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run only specified Windows applications*
- GP name: *RestrictRun*
- GP name: *RestrictApps*
- GP path: *System*
- GP ADMX file name: *Shell-CommandPrompt-RegEditTools.admx*

4
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -142,8 +142,8 @@ Here's an example:
</groupmembership>
```
where:
- `<accessgroup desc>` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. For best results, use SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- `<accessgroup desc>` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
> [!NOTE]

12
windows/client-management/mdm/policy-csp-update.md
View File

@ -1925,7 +1925,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
<!--/Description-->
<!--ADMXMapped-->
@ -2918,7 +2918,7 @@ The following list shows the supported values:
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
Added in Windows 10, version 1607. Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later.
<!--/Description-->
<!--ADMXMapped-->
@ -2934,7 +2934,7 @@ ADMX Info:
The following list shows the supported values:
- 0 (default) Feature Updates are not paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
- 1 Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
<!--/SupportedValues-->
<!--/Policy-->
@ -2985,7 +2985,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
@ -3047,7 +3047,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
Added in Windows 10, version 1607. Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead.
<!--/Description-->
<!--ADMXMapped-->
@ -3114,7 +3114,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.

1
windows/deployment/TOC.yml
View File

@ -199,6 +199,7 @@
- name: Data handling and privacy in Update Compliance
href: update/update-compliance-privacy.md
- name: Update Compliance schema reference
href: update/update-compliance-schema.md
items:
- name: WaaSUpdateStatus
href: update/update-compliance-schema-waasupdatestatus.md

5
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -30,9 +30,9 @@ version of the software.
We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*.
- **Feature updates:** Released twice per year, around March and September. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
@ -104,4 +104,3 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
### Hybrid scenarios
It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.

30
windows/deployment/update/media-dynamic-update.md
View File

@ -79,7 +79,7 @@ This table shows the correct sequence for applying the various tasks to the file
|Add latest cumulative update | | 15 | 21 |
|Clean up the image | 7 | 16 | 22 |
|Add Optional Components | | | 23 |
|Add .Net and .Net cumulative updates | | | 24 |
|Add .NET and .NET cumulative updates | | | 24 |
|Export image | 8 | 17 | 25 |
### Multiple Windows editions
@ -90,7 +90,7 @@ The main operating system file (install.wim) contains multiple editions of Windo
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@ -107,7 +107,7 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
```
```powershell
function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Write-Host "$(Get-TS): Starting media refresh"
@ -160,21 +160,21 @@ New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Keep the original media, make a copy of it for the new, updateed media.
# Keep the original media, make a copy of it for the new, updated media.
Write-Host "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its s are used for updating other s. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
It finishes by cleaning and exporting the image to reduce the image size.
> [!NOTE]
> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary s in the recovery environment. The s that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary components in the recovery environment. The components that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
```
```powershell
# Mount the main operating system, used throughout the script
Write-Host "$(Get-TS): Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
@ -255,7 +255,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
```
```powershell
#
# update Windows Preinstallation Environment (WinPE)
#
@ -345,11 +345,11 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
You can install Optional Components, along with the .NET feature, offline, but that will require the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
```
```powershell
#
# update Main OS
#
@ -398,14 +398,14 @@ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
# Note: If I wanted to enable additional Optional Components, I'd add these here.
# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
# In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
Write-Host "$(Get-TS): Adding NetFX3~~~~"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Add .Net Cumulative Update
# Add .NET Cumulative Update
Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
@ -422,7 +422,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests.
```
```powershell
#
# update remaining files on media
#
@ -435,7 +435,7 @@ cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PA
As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
```
```powershell
#
# Perform final cleanup
#

3
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -48,6 +48,9 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
> [!NOTE]
> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
### Group Policies
All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.

6
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -19,7 +19,11 @@ ms.topic: article
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
> [!NOTE]
> The Update Compliance configuration script does not offer options to configure Delivery Optimization. You have to do that separately.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
## How the script is organized

3
windows/deployment/update/update-compliance-schema.md
View File

@ -20,6 +20,9 @@ When the visualizations provided in the default experience don't fulfill your re
The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries).
> [!NOTE]
> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
|Table |Category |Description |
|--|--|--|
|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |

10
windows/deployment/update/update-compliance-using.md
View File

@ -62,21 +62,19 @@ The following is a breakdown of the different sections available in Update Compl
## Update Compliance data latency
Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows:
Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate at which each type of data is sent from the device and how long it takes to be ready for Update Compliance varies, roughly outlined below.
The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data.
| Data Type | Data upload rate from device | Data Latency |
|--|--|--|
|WaaSUpdateStatus | Once per day |4 hours |
|WaaSInsiderStatus| Once per day |4 hours |
|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours |
|WDAVStatus|On signature update|24 hours |
|WDAVThreat|On threat detection|24 hours |
|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours |
|WUDOStatus|Once per day|12 hours |
This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh).
This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours.
## Using Log Analytics
@ -89,4 +87,4 @@ See below for a few topics related to Log Analytics:
## Related topics
[Get started with Update Compliance](update-compliance-get-started.md)
[Get started with Update Compliance](update-compliance-get-started.md)

18
windows/deployment/update/waas-configure-wufb.md
View File

@ -5,7 +5,7 @@ manager: laurawi
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.collection: M365initiative-coredeploy
audience: itpro
author: jaimeo
ms.localizationpriority: medium
@ -48,7 +48,7 @@ With Windows Update for Business, you can set a device to be on either Windows I
**Release branch policies**
| Policy | Sets registry key under **HKLM\Software** |
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
@ -73,7 +73,7 @@ For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriod
</br></br>
**Policy settings for deferring feature updates**
| Policy | Sets registry key under **HKLM\Software** |
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
@ -97,7 +97,7 @@ In cases where the pause policy is first applied after the configured start date
**Policy settings for pausing feature updates**
| Policy | Sets registry key under **HKLM\Software** |
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates</br>**1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
@ -134,7 +134,7 @@ You can set your system to receive updates for other Microsoft products—known
**Policy settings for deferring quality updates**
| Policy | Sets registry key under **HKLM\Software** |
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
@ -157,7 +157,7 @@ In cases where the pause policy is first applied after the configured start date
**Policy settings for pausing quality updates**
| Policy | Sets registry key under **HKLM\Software** |
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime |
| GPO for Windows 10, version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
@ -207,7 +207,7 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
**Policy settings to exclude drivers**
| Policy | Sets registry key under **HKLM\Software** |
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 10, version 1607 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
@ -220,7 +220,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
| BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)</br> 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)</br> 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)</br> 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel </br>32: systems take Feature Updates from Semi-annual Channel </br>Note: Other value or absent: receive all applicable updates |
| BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)</br> 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)</br> 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)</br> 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel </br>32: systems take Feature Updates from Semi-Annual Channel </br>Note: Other value or absent: receive all applicable updates |
| DeferQualityUpdates | REG_DWORD | 1: defer quality updates</br>Other value or absent: dont defer quality updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates |
@ -234,7 +234,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
| BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)</br> 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)</br> 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)</br> 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel </br>32: systems take Feature Updates from Semi-annual Channel </br>Note: Other value or absent: receive all applicable updates |
| BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)</br> 4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)</br> 8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)</br> 16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-Annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-Annual Channel </br>32: systems take Feature Updates from Semi-Annual Channel </br>Note: Other value or absent: receive all applicable updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |

7
windows/deployment/update/waas-delivery-optimization.md
View File

@ -1,6 +1,5 @@
---
title: Delivery Optimization for Windows 10 updates
ms.reviewer:
manager: laurawi
description: Delivery Optimization is a peer-to-peer distribution method in Windows 10
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
@ -10,7 +9,9 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
ms.collection:
- M365-modern-desktop
- M365initiative-coredeploy
ms.topic: article
---
@ -111,7 +112,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
## Reference

5
windows/deployment/update/waas-integrate-wufb.md
View File

@ -6,8 +6,7 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 07/27/2017
ms.reviewer:
ms.collection: M365initiative-coredeploy
manager: laurawi
ms.topic: article
---
@ -69,7 +68,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f
- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
- Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server
In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.

2
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -84,7 +84,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
![Example of UI](images/waas-wsus-fig5.png)
>[!IMPORTANT]
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).

2
windows/deployment/update/waas-overview.md
View File

@ -101,7 +101,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).

13
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -52,10 +52,8 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
>[!IMPORTANT]
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
**To assign a single devices locally to the Semi-Annual Channel**
1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
2. Select **Defer feature updates**.
>[!NOTE]
>Devices will automatically recieve updates from the Semi-Annual Channel, unless they are configured to recieve preview updates through the Windows Insider Program.
**To assign devices to the Semi-Annual Channel by using Group Policy**
@ -99,7 +97,7 @@ For more information, see [Windows Insider Program for Business](waas-windows-in
## Block access to Windows Insider Program
To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
To prevent devices in your organization from being enrolled in the Insider Program for early releases of Windows 10:
- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
@ -164,10 +162,11 @@ During the life of a device, it might be necessary or desirable to switch betwee
## Block user access to Windows Update settings
In Windows 10, administrators can control user access to Windows Update.
By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
Administrators can disable the "Check for updates" option for users by enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features** . Any background update scans, downloads and installations will continue to work as configured. We don't recomment this setting if you have configured the device to "notify" to download or install as this policy will prevent the user from being able to do so.
>[!NOTE]
> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
> Starting with Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported.
## Steps to manage updates for Windows 10

7
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -9,6 +9,7 @@ ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
ms.collection: M365initiative-coredeploy
---
# Prepare servicing strategy for Windows 10 updates
@ -29,9 +30,9 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex
Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Heres an example of what this process might look like:
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before theyre available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-Annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that youre looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL folder of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
- **Choose a servicing tool.** Decide which product youll use to manage the Windows updates in your environment. If youre currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product youll use, consider how youll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
@ -43,7 +44,7 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which
Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but its still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that youre looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but its still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-Annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that youre looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you dont prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.

6
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.reviewer:
ms.collection: M365initiative-coredeploy
manager: laurawi
ms.topic: article
---
@ -59,7 +59,7 @@ Both Windows 10 feature and quality updates are automatically offered to devices
To enable Microsoft Updates use the Group Policy Management Console go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** and select **Install updates for other Microsoft products**.
Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
Drivers are automatically enabled because they are beneficial to device systems. We recommend that you allow the driver policy to allow drivers to update on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use the Group Policy Management Console to go to **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** and enable the policy.
We also recommend that you allow Microsoft product updates as discussed previously.
@ -138,7 +138,7 @@ When you set these policies, installation happens automatically at the specified
We recommend that you use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline for automatic updates and restarts** for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart.
This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardles of active hours.
This policies also offers an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:

98
windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
View File

@ -20,22 +20,25 @@ ms.topic: article
# Activate using Key Management Service
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/)
- [Get Help Activating Microsoft Windows 7 or Windows 8.1 ](https://go.microsoft.com/fwlink/p/?LinkId=618644)
There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
- Host KMS on a computer running Windows 10
- Host KMS on a computer running Windows Server 2012 R2
- Host KMS on a computer running an earlier version of Windows
- Host KMS on a computer running Windows 10
- Host KMS on a computer running Windows Server 2012 R2
- Host KMS on a computer running an earlier version of Windows
Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/).
@ -43,14 +46,15 @@ Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.co
Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsofts activation services.
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
**Configure KMS in Windows 10**
### Configure KMS in Windows 10
To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
- To install the KMS key, type `slmgr.vbs /ipk <KmsKey>`.
- To activate online, type `slmgr.vbs /ato`.
- To activate by telephone , follow these steps:
- To activate by telephone, follow these steps:
1. Run `slmgr.vbs /dti` and confirm the installation ID.
2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
@ -59,51 +63,51 @@ To activate , use the slmgr.vbs command. Open an elevated command prompt and run
For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
## Key Management Service in Windows Server 2012 R2
Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
**Note**  
You cannot install a client KMS key into the KMS in Windows Server.
> [!NOTE]
> You cannot install a client KMS key into the KMS in Windows Server.
This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
**Note**  
> [!NOTE]
> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](https://go.microsoft.com/fwlink/p/?LinkId=620687).
**Configure KMS in Windows Server 2012 R2**
### Configure KMS in Windows Server 2012 R2
1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 4.
![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg)
**Figure 4**. Adding the Volume Activation Services role in Server Manager\
**Figure 4**. Adding the Volume Activation Services role in Server Manager
4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg)
**Figure 5**. Launching the Volume Activation Tools
5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg)
**Figure 6**. Configuring the computer as a KMS host
5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg)
**Figure 7**. Installing your KMS host key
6. If asked to confirm replacement of an existing key, click **Yes**.
7. After the product key is installed, you must activate it. Click **Next** (Figure 8).
7. If asked to confirm replacement of an existing key, click **Yes**.
8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
![Activating the software](../images/volumeactivationforwindows81-08.jpg)
**Figure 8**. Activating the software
The KMS key can be activated online or by phone. See Figure 9.
@ -123,25 +127,27 @@ You can verify KMS volume activation from the KMS host server or from the client
To verify that KMS volume activation works, complete the following steps:
1. On the KMS host, open the event log and confirm that DNS publishing is successful.
2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.<p>
The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.<p>
1. On the KMS host, open the event log and confirm that DNS publishing is successful.
2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://go.microsoft.com/fwlink/p/?LinkId=733639).
The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
## Key Management Service in earlier versions of Windows
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
2. Request a new KMS host key from the Volume Licensing Service Center.
3. Install the new KMS host key on your KMS host.
4. Activate the new KMS host key by running the slmgr.vbs script.
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
2. Request a new KMS host key from the Volume Licensing Service Center.
3. Install the new KMS host key on your KMS host.
4. Activate the new KMS host key by running the slmgr.vbs script.
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

34
windows/deployment/volume-activation/introduction-vamt.md
View File

@ -19,24 +19,26 @@ ms.topic: article
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
**Note**  
VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
> [!NOTE]
> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
## In this Topic
- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
- [Enterprise Environment](#bkmk-enterpriseenvironment)
- [VAMT User Interface](#bkmk-userinterface)
- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
- [Enterprise Environment](#bkmk-enterpriseenvironment)
- [VAMT User Interface](#bkmk-userinterface)
## <a href="" id="bkmk-managingmak"></a>Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
## <a href="" id="bkmk-managingkms"></a>Managing Key Management Service (KMS) Activation
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise Environment
@ -55,13 +57,13 @@ The following screenshot shows the VAMT graphical user interface.
![VAMT user interface](images/vamtuserinterfaceupdated.jpg)
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
## Related topics
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)

2
windows/security/identity-protection/access-control/special-identities.md
View File

@ -186,7 +186,7 @@ This group includes all domain controllers in an Active Directory forest. Domain
All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
Membership is controlled by the operating system.

6
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -18,14 +18,14 @@ ms.date: 02/28/2019
ms.custom: bitlocker
---
# BCD settings and BitLocker
# Boot Configuration Data settings and BitLocker
**Applies to**
- Windows 10
This topic for IT professionals describes the BCD settings that are used by BitLocker.
This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive boot configuration data (BCD) settings have not changed since BitLocker was last enabled, resumed, or recovered.
When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
## BitLocker and BCD Settings

2
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -28,7 +28,7 @@ This topic for the IT professional explains how BitLocker features can be used t
## Using BitLocker to encrypt volumes
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.

8
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -43,7 +43,7 @@ Before Windows starts, you must rely on security features implemented as part of
### Trusted Platform Module
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
On some platforms, TPM can alternatively be implemented as a part of secure firmware.
BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline.
For more info about TPM, see [Trusted Platform Module](https://docs.microsoft.com/windows/device-security/tpm/trusted-platform-module-overview).
@ -126,7 +126,7 @@ For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” sectio
## Attack countermeasures
This section covers countermeasures for specific types attacks.
This section covers countermeasures for specific types of attacks.
### Bootkits and rootkits
@ -162,7 +162,7 @@ The following sections cover mitigations for different types of attackers.
Physical access may be limited by a form factor that does not expose buses and memory.
For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.
This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.
Mitigation:
- Pre-boot authentication set to TPM only (the default)
@ -172,7 +172,7 @@ Mitigation:
Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
Mitigation:
- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN to help the TPM anti-hammering mitigation).
- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
-And-

2
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -23,7 +23,7 @@ ms.custom: bitlocker
- Windows 10
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10.
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organizations confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -458,7 +458,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
Value format without proxy:
```console
contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com,
```
### Protected domains

4
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -59,7 +59,7 @@ To help address this security insufficiency, companies developed data loss preve
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesnt see and cant understand.
Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesnt see and cant understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
@ -90,7 +90,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.

11
windows/security/threat-protection/TOC.md
View File

@ -256,9 +256,17 @@
#### [Resources](microsoft-defender-atp/mac-resources.md)
### [Microsoft Defender Advanced Threat Protection for iOS]()
#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
#### [Deploy]()
##### [App-based deployment](microsoft-defender-atp/ios-install.md)
#### [Configure]()
##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
### [Microsoft Defender Advanced Threat Protection for Linux]()
#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
@ -536,6 +544,7 @@
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
####### [Set device value](microsoft-defender-atp/set-device-value.md)
###### [Machine Action]()
####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
@ -700,7 +709,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)

35
windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
View File

@ -1,7 +1,7 @@
---
title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
@ -25,7 +25,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
> [!NOTE]
> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
@ -54,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
> [!NOTE]
> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
@ -78,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation <path>
Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
```Dos
<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
@ -86,13 +86,30 @@ When the SupportLogLocation parameter is used, a folder structure as below will
| field | Description |
|:----|:----|
| path | The path as specified on the commandline or retrieved from configuration
| MMDD | Month Day when the diagnostic data was collected (eg 0530)
| hostname | the hostname of the device on which the diagnostic data was collected.
| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
| path | The path as specified on the command line or retrieved from configuration
| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
| hostname | The hostname of the device on which the diagnostic data was collected
| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
> [!NOTE]
> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.
> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
## Specify location where diagnostic data is created
You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO).
1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
1. Select **Define the directory path to copy support log files**.
![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)
![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)
3. Inside the policy editor, select **Enabled**.
4. Specify the directory path where you want to copy the support log files in the **Options** field.
![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png)
5. Select **OK** or **Apply**.
## See also

4
windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
View File

@ -59,8 +59,8 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif
Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
>[!NOTE]
>If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
> [!NOTE]
> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
## Use PowerShell to configure scanning options

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 314 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

28
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -71,6 +71,30 @@ All our updates contain:
* integration improvements (Cloud, MTP)
<br/>
<details>
<summary> September-2020 (Platform: 4.18.2009.X | Engine: 1.1.17500.4)</summary>
&ensp;Security intelligence update version: **1.325.10.0**
&ensp;Released: **October 01, 2020**
&ensp;Platform: **4.18.2009.X**
&ensp;Engine: **1.1.17500.4**
&ensp;Support phase: **Security and Critical Updates**
### What's new
*Admin permissions are required to restore files in quarantine
*XML formatted events are now supported
*CSP support for ignoring exclusion merge
*New management interfaces for:
+UDP Inspection
+Network Protection on Server 2019
+IP Address exclusions for Network Protection
*Improved visibility into TPM measurements
*Improved Office VBA module scanning
### Known Issues
No known issues
<br/>
</details>
<details>
<summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
&ensp;Security intelligence update version: **1.323.9.0**
@ -84,7 +108,7 @@ All our updates contain:
* Improved scan event telemetry
* Improved behavior monitoring for memory scans
* Improved macro streams scanning
* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
* Added "AMRunningMode" to Get-MpComputerStatus PowerShell CmdLet
### Known Issues
No known issues
@ -116,7 +140,7 @@ No known issues
&ensp;Released: **June 22, 2020**
&ensp;Platform: **4.18.2006.10**
&ensp;Engine: **1.1.17200.2**
&ensp;Support phase: **Security and Critical Updates**
&ensp;Support phase: **Technical upgrade Support (Only)**
### What's new
* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)

3
windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
View File

@ -64,6 +64,9 @@ See [Prevent users from locally modifying policy settings](configure-local-polic
You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
> [!NOTE]
> This setting is not supported on Windows 10.
### Use Group Policy to prevent users from pausing a scan
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.

13
windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 07/22/2020
ms.date: 09/30/2020
ms.reviewer:
manager: dansimp
---
@ -28,14 +28,13 @@ manager: dansimp
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
To configure the Group Policy settings described in this topic:
## To configure the Group Policy settings described in this article
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -201,7 +200,7 @@ Scan | Specify the time for a daily quick scan | Specify the number of minutes a
Use the following cmdlets:
```PowerShell
Set-MpPreference -ScanScheduleQuickTime
Set-MpPreference -ScanScheduleQuickScanTime
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
@ -229,9 +228,7 @@ Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
## Related topics
## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)

134
windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md Normal file
View File

@ -0,0 +1,134 @@
---
title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: martyav
ms.author: v-maave
ms.custom: nextgen
ms.date: 09/11/2018
ms.reviewer:
manager: dansimp
---
# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
## Review event logs
Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
From there, select **Open** underneath **Operational**.
Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs.
## Microsoft Defender Antivirus won't start
This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
### Associated event IDs
Event ID | Log name | Description | Source
-|-|-|-
15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center
5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.<br /><br />**Old value:** Default\IsServiceRunning = 0x0<br />**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
> [!TIP]
> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
#### Use Services app to check if Microsoft Defender Antivirus is turned off
To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
#### Generate a detailed report
You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
```powershell
GPresult.exe /h gpresult.html
```
This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
##### Group policy results
##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)
Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
Policy | Setting | Winning GPO
-|-|-
Turn off Windows Defender Antivirus | Enabled | Win10-Workstations
###### If security settings are implemented via Group policy preference (GPP)
Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
DisableAntiSpyware | -
-|-
Winning GPO | Win10-Workstations
Result: Success |
**General** |
Action | Update
**Properties** |
Hive | HKEY_LOCAL_MACHINE
Key path | SOFTWARE\Policies\Microsoft\Windows Defender
Value name | DisableAntiSpyware
Value type | REG_DWORD
Value data | 0x1 (1)
###### If security settings are implemented via registry key
The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:
> Registry (regedit.exe)
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
> DisableAntiSpyware (dword) 1 (hex)
###### If security settings are set in Windows or your Windows Server image
Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
### Turn Microsoft Defender Antivirus back on
Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
> [!WARNING]
> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
> [!IMPORTANT]
> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
### See also
* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)

6
windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
View File

@ -10,8 +10,8 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
ms.date: 10/01/2018
ms.reviewer: ksarens
manager: dansimp
---
@ -96,7 +96,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r
Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10)
Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)

19
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.date: 09/28/2020
ms.date: 09/30/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -87,22 +87,7 @@ You can configure the following levels of automation:
> [!IMPORTANT]
> Regarding automation levels and default settings:
> - If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
> - If your tenant was onboarded to Microsoft Defender for Endpoint *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
> - If your tenant was onboarded to Microsoft Defender for Endpoint *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**.
> - If your tenant was onboarded to Microsoft Defender for Endpoint *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
> - If your tenant was onboarded to Microsoft Defender for Endpoint *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
### A few points to keep in mind
- Your level of automation is determined by your device group settings. To learn more, see [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
- If your Microsoft Defender for Endpoint tenant was created before August 16, 2020, then you have a default device group that is configured for semi-automatic remediation. In this case, some or all remediation actions for malicious entities require approval. Such actions are listed on the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can set your [device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups) to use full automation so that no user approval is needed.
- If your Microsoft Defender for Endpoint tenant was created on or after August 16, 2020, then you have a default device group that is configured for full automation. In this case, remediation actions are taken automatically for entities that are considered to be malicious. Such actions are listed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
## Next steps

168
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
View File

@ -29,104 +29,104 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
## Enable the Insider program with Jamf
a. Create configuration profile com.microsoft.wdav.plist with the following content:
1. Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
```
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</plist>
```
b. From the JAMF console, navigate to **Computers>Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
1. From the JAMF console, navigate to **Computers>Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
c. Create an entry withcom.microsoft.wdavas the preference domain and upload the .plist created earlier.
1. Create an entry withcom.microsoft.wdavas the preference domain and upload the .plist created earlier.
>[!WARNING]
>You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
> [!WARNING]
> You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
## Enable the Insider program with Intune
a. Create configuration profile com.microsoft.wdav.plist with the following content:
1. Create configuration profile com.microsoft.wdav.plist with the following content:
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
```
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>edr</key>
<dict>
<key>earlyPreview</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
```
b. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
1. Open **Manage > Device configuration**. Select **Manage > Profiles > Create Profile**.
c. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
d. Save the .plist created earlier as com.microsoft.wdav.xml.
1. Save the .plist created earlier as com.microsoft.wdav.xml.
e. Enter com.microsoft.wdav as the custom configuration profile name.
1. Enter com.microsoft.wdav as the custom configuration profile name.
f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1.
g. Select **OK**.
1. Select **OK**.
h. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
1. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
>[!WARNING]
>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
> [!WARNING]
> You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
## Enable the Insider program manually on a single device
@ -134,7 +134,7 @@ In terminal, run:
```bash
mdatp --edr --early-preview true
```
```
For versions earlier than 100.78.0, run:
@ -161,4 +161,4 @@ After a successful deployment and onboarding of the correct version, check that
* Check that you enabled the early preview flag. In terminal run “mdatp health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).

BIN
windows/security/threat-protection/microsoft-defender-atp/images/41627a709700c324849bf7e13510c516.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 612 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 717 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 751 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 382 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 869 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/big-sur-install-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 395 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/e07f270419f7b1e5ee6744f8b38ddeaf.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/netext-choose-file.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 297 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/netext-create-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 118 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/netext-final.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 266 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/netext-profile-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 328 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/netext-scope.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 306 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 231 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/netext-upload-file2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 235 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 361 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/sysext-configure2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 381 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/sysext-final.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 288 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/sysext-new-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 359 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/sysext-scope.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 328 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tcc-add-entry.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 397 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 406 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tcc-epsext-entry2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 406 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/testflight-get.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 326 KiB

47
windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Configure Microsoft Defender ATP for iOS features
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for iOS features
keywords: microsoft, defender, atp, ios, configure, features, ios
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configure Microsoft Defender ATP for iOS features
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> [!IMPORTANT]
> **PUBLIC PREVIEW EDITION**
>
> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
## Configure custom indicators
Microsoft Defender ATP for iOS enables admins to configure custom indicators on
iOS devices as well. Refer to [Manage
indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
on how to configure custom indicators
## Web Protection
By default, Microsoft Defender ATP for iOS includes and enables the web
protection feature. [Web
protection](web-protection-overview.md) helps
to secure devices against web threats and protect users from phishing attacks.
>[!NOTE]
>Microsoft Defender ATP for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.

80
windows/security/threat-protection/microsoft-defender-atp/ios-install.md Normal file
View File

@ -0,0 +1,80 @@
---
title: App-based deployment for Microsoft Defender ATP for iOS
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for iOS using an app
keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# App-based deployment for Microsoft Defender ATP for iOS
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> [!IMPORTANT]
> **PUBLIC PREVIEW EDITION**
>
> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
Microsoft Defender ATP for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
Deployment devices need to be enrolled on Intune Company portal. Refer to
[Enroll your
device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
learn more about Intune device enrollment
## Before you begin
- Ensure you have access to [Microsoft Endpoint manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Ensure iOS enrollment is done for your users. Users need to have Microsoft Defender ATP
license assigned in order to use Microsoft Defender ATP for iOS. Refer [Assign licenses to
users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
for instructions on how to assign licenses.
## Deployment steps
To install Microsoft Defender ATP for iOS, end-users can visit
<https://aka.ms/defenderios> on their iOS devices. This link will open the
TestFlight application on their device or prompt them to install TestFlight. On
the TestFlight app, follow the onscreen instructions to install Microsoft
Defender ATP.
![Image of deployment steps](images/testflight-get.png)
## Complete onboarding and check status
1. Once Microsoft Defender ATP for iOS has been installed on the device, you
will see the app icon.
![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png)
2. Tap the Microsoft Defender ATP app icon and follow the on-screen
instructions to complete the onboarding steps. The details include end-user
acceptance of iOS permissions required by Microsoft Defender ATP for iOS.
3. Upon successful onboarding, the device will start showing up on the Devices
list in Microsoft Defender Security Center.
> [!div class="mx-imgBorder"]
> ![A screenshot of a cell phone Description automatically generated](images/e07f270419f7b1e5ee6744f8b38ddeaf.png)
## Next Steps
[Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)

35
windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
View File

@ -28,7 +28,8 @@ ms.topic: conceptual
This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
- [Application installation](#application-installation)
- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions)
- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
- [Client configuration](#client-configuration)
## Prerequisites and system requirements
@ -48,7 +49,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
5. From a command prompt, verify that you have the two files.
## Application installation
## Application installation (macOS 10.15 and older versions)
To complete this process, you must have admin privileges on the device.
@ -65,7 +66,7 @@ To complete this process, you must have admin privileges on the device.
![App install screenshot](../microsoft-defender-antivirus/images/MDATP-30-SystemExtension.png)
3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
![Security and privacy window screenshot](../microsoft-defender-antivirus/images/MDATP-31-SecurityPrivacySettings.png)
@ -77,6 +78,34 @@ To complete this process, you must have admin privileges on the device.
> [!NOTE]
> macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted.
## Application installation (macOS 11 and newer versions)
To complete this process, you must have admin privileges on the device.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
![App install screenshot](images/big-sur-install-1.png)
2. Select **Continue**, agree with the License terms, and enter the password when prompted.
3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
![System extension approval](images/big-sur-install-2.png)
4. From the **Security & Privacy** window, select **Allow**.
![System extension security preferences](images/big-sur-install-3.png)
5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac.
6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**.
![System extension security preferences](images/big-sur-install-4.png)
7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.
![Full disk access](images/big-sur-install-5.png)
## Client configuration
1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS.

238
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
View File

@ -34,6 +34,7 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through Intune
1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
1. [Client device setup](#client-device-setup)
1. [Approve system extensions](#approve-system-extensions)
1. [Create System Configuration profiles](#create-system-configuration-profiles)
1. [Publish application](#publish-application)
@ -48,24 +49,30 @@ The following table summarizes the steps you would need to take to deploy and ma
| Step | Sample file names | BundleIdentifier |
|-|-|-|
| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
![Onboarding settings screenshot](images/atp-mac-install.png)
3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
6. From a command prompt, verify that you have the three files.
@ -130,228 +137,116 @@ You do not need any special provisioning for a Mac device beyond a standard [Com
2. Select **Continue** and complete the enrollment.
You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png)
> [!div class="mx-imgBorder"]
> ![Add Devices screenshot](../microsoft-defender-antivirus/images/MDATP-5-allDevices.png)
## Approve System Extensions
To approve the system extensions:
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
3. In the `Basics` tab, give a name to this new profile.
4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
Bundle identifier | Team identifier
--------------------------|----------------
com.microsoft.wdav.epsext | UBF8T346G9
com.microsoft.wdav.netext | UBF8T346G9
> [!div class="mx-imgBorder"]
> ![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
6. Review and create this configuration profile.
## Create System Configuration profiles
1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
4. Select **OK**.
![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-6-SystemConfigurationProfiles.png)
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat steps 1 through 5 for more profiles.
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.<a name="create-system-configuration-profiles-step-8" id = "create-system-configuration-profiles-step-8"></a>
> [!CAUTION]
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
>
> The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
> This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDescription</key>
<string>Allows Microsoft Defender to access all files on Catalina+</string>
<key>PayloadDisplayName</key>
<string>TCC - Microsoft Defender</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav.tcc</string>
<key>PayloadOrganization</key>
<string>Microsoft Corp.</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>system</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C234DF2E-DFF6-11E9-B279-001C4299FB44</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Allows Microsoft Defender to access all files on Catalina+</string>
<key>PayloadDisplayName</key>
<string>TCC - Microsoft Defender</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
<key>PayloadOrganization</key>
<string>Microsoft Corp.</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>Comment</key>
<string>Allow SystemPolicyAllFiles control for Microsoft Defender ATP</string>
<key>Identifier</key>
<string>com.microsoft.wdav</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
</dict>
</plist>
```
9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
9. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload: <a name = "create-system-configuration-profiles-step-9" id = "create-system-configuration-profiles-step-9"></a>
10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. <a name = "create-system-configuration-profiles-step-10" id = "create-system-configuration-profiles-step-10"></a>
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.wdav.tray</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>mdatp - allow notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
> [!div class="mx-imgBorder"]
> ![System configuration profiles screenshot](../microsoft-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png)
## Publish application
1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
5. Use **macOS High Sierra 10.13** as the minimum OS.
6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
> [!CAUTION]
> Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
>
> If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy.
![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
> [!div class="mx-imgBorder"]
> ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png)
7. Select **OK** and **Add**.
![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png)
> [!div class="mx-imgBorder"]
> ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-9-IntunePkgInfo.png)
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png)
> [!div class="mx-imgBorder"]
> ![Client apps screenshot](../microsoft-defender-antivirus/images/MDATP-10-ClientApps.png)
9. Change **Assignment type** to **Required**.
10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png)
> [!div class="mx-imgBorder"]
> ![Intune assignments info screenshot](../microsoft-defender-antivirus/images/MDATP-11-Assignments.png)
11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png)
> [!div class="mx-imgBorder"]
> ![Intune device status screenshot](../microsoft-defender-antivirus/images/MDATP-12-DeviceInstall.png)
## Verify client device state
@ -365,7 +260,8 @@ Once the Intune changes are propagated to the enrolled devices, you can see them
3. You should also see the Microsoft Defender icon in the top-right corner:
![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png)
> [!div class="mx-imgBorder"]
> ![Microsoft Defender icon in status bar screenshot](../microsoft-defender-antivirus/images/MDATP-Icon-Bar.png)
## Troubleshooting

35
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
View File

@ -48,7 +48,7 @@ Most modern MDM solutions include these features, however, they may call them di
You can deploy Defender without the last requirement from the preceding list, however:
- You will not be able to collect status in a centralized way
- If you decide to uninstall Defender, you will need to logon to the client device locally as an administrator
- If you decide to uninstall Defender, you will need to log on to the client device locally as an administrator
## Deployment
@ -70,13 +70,44 @@ Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be ext
Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
### Kernel extension policy
Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
### System extension policy
Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers:
- com.microsoft.wdav.epsext
- com.microsoft.wdav.netext
### Full disk access policy
Grant Full Disk Access to the following components:
- Microsoft Defender ATP
- Identifier: `com.microsoft.wdav`
- Identifier Type: Bundle ID
- Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
- Microsoft Defender ATP Endpoint Security Extension
- Identifier: `com.microsoft.wdav.epsext`
- Identifier Type: Bundle ID
- Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
### Network extension policy
As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
- Filter type: Plugin
- Plugin bundle identifier: `com.microsoft.wdav`
- Filter data provider bundle identifier: `com.microsoft.wdav.netext`
- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
- Filter sockets: `true`
## Check installation status
Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.

534
windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
View File

@ -44,9 +44,13 @@ You'll need to take the following steps:
7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp)
9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos)
9. [Configure Network Extension](#step-9-configure-network-extension)
10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos)
## Step 1: Get the Microsoft Defender ATP onboarding package
@ -155,106 +159,106 @@ You'll need to take the following steps:
For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile).
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileName</string>
<key>name</key>
<string>cat</string>
</dict>
</array>
<key>exclusionsMergePolicy</key>
<string>merge</string>
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>disallowedThreatActions</key>
<array>
<string>allow</string>
<string>restore</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
<key>threatTypeSettingsMergePolicy</key>
<string>merge</string>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>edr</key>
<dict>
<key>tags</key>
<array>
<dict>
<key>key</key>
<string>GROUP</string>
<key>value</key>
<string>ExampleTag</string>
</dict>
</array>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</plist>
```
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileName</string>
<key>name</key>
<string>cat</string>
</dict>
</array>
<key>exclusionsMergePolicy</key>
<string>merge</string>
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>disallowedThreatActions</key>
<array>
<string>allow</string>
<string>restore</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
<key>threatTypeSettingsMergePolicy</key>
<string>merge</string>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>edr</key>
<dict>
<key>tags</key>
<array>
<dict>
<key>key</key>
<string>GROUP</string>
<key>value</key>
<string>ExampleTag</string>
</dict>
</array>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</plist>
```
2. Save the file as `MDATP_MDAV_configuration_settings.plist`.
@ -266,11 +270,12 @@ You'll need to take the following steps:
4. Enter the following details:
**General**
- Name: MDATP MDAV configuration settings
- Description:\<blank\>
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- Name: MDATP MDAV configuration settings
- Description:\<blank\>
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
![Image of configuration settings](images/3160906404bc5a2edf84d1d015894e3b.png)
@ -336,100 +341,21 @@ You'll need to take the following steps:
These steps are applicable of macOS 10.15 (Catalina) or newer.
1. Use the following Microsoft Defender ATP notification configuration settings:
1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig)
```xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>CriticalAlertEnabled</key>
<false/><key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>2</integer><key>BadgesEnabled</key>
<true/><key>BundleIdentifier</key>
<string>com.microsoft.wdav.tray</string>
<key>CriticalAlertEnabled</key>
<false/><key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/><key>ShowInLockScreen</key>
<false/><key>ShowInNotificationCenter</key>
<true/><key>SoundsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string/><key>PayloadDisplayName</key>
<string>notifications</string>
<key>PayloadEnabled</key>
<true/><key>PayloadIdentifier</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string/><key>PayloadDisplayName</key>
<string>mdatp - allow notifications</string>
<key>PayloadEnabled</key><true/>
<key>PayloadIdentifier</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadRemovalDisallowed</key>
<false/><key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
```
2. Save it as `MDATP_MDAV_notification_settings.plist`.
2. Save it as `MDATP_MDAV_notification_settings.plist`.
3. In the Jamf Pro dashboard, select **General**.
4. Enter the following details:
**General**
- Name: MDATP MDAV Notification settings
- Description: macOS 10.15 (Catalina) or newer
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- Name: MDATP MDAV Notification settings
- Description: macOS 10.15 (Catalina) or newer
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
![Image of configuration settings](images/c9820a5ff84aaf21635c04a23a97ca93.png)
@ -475,11 +401,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
1. Use the following Microsoft Defender ATP configuration settings:
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ChannelName</key>
<string>Production</string>
<key>HowToCheck</key>
@ -490,9 +416,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
<false/>
<key>SendAllTelemetryEnabled</key>
<true/>
</dict>
</plist>
```
</dict>
</plist>
```
2. Save it as `MDATP_MDAV_MAU_settings.plist`.
@ -503,11 +429,12 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
4. Enter the following details:
**General**
- Name: MDATP MDAV MAU settings
- Description: Microsoft AutoUpdate settings for MDATP for macOS
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
- Name: MDATP MDAV MAU settings
- Description: Microsoft AutoUpdate settings for MDATP for macOS
- Category: None (default)
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
5. In **Application & Custom Settings** select **Configure**.
@ -582,10 +509,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Identifier: `com.microsoft.wdav`
- Identifier Type: Bundle ID
- Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and
certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate
leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate
leaf[subject.OU] = UBF8T346G9
- Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
![Image of configuration setting](images/22cb439de958101c0a12f3038f905b27.png)
@ -594,32 +518,53 @@ leaf[subject.OU] = UBF8T346G9
![Image of configuration setting](images/bd93e78b74c2660a0541af4690dd9485.png)
- Under App or service: Set to **SystemPolicyAllFiles**
- Under App or service: Set to **SystemPolicyAllFiles**
- Under "access": Set to **Allow**
- Under "access": Set to **Allow**
7. Select **Save** (not the one at the bottom right).
![Image of configuration setting](images/6de50b4a897408ddc6ded56a09c09fe2.png)
8. Select the **Scope** tab.
8. Click the `+` sign next to **App Access** to add a new entry.
![Image of configuration setting](images/tcc-add-entry.png)
9. Enter the following details:
- Identifier: `com.microsoft.wdav.epsext`
- Identifier Type: Bundle ID
- Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
10. Select **+ Add**.
![Image of configuration setting](images/tcc-epsext-entry.png)
- Under App or service: Set to **SystemPolicyAllFiles**
- Under "access": Set to **Allow**
11. Select **Save** (not the one at the bottom right).
![Image of configuration setting](images/tcc-epsext-entry2.png)
12. Select the **Scope** tab.
![Image of configuration setting](images/2c49b16cd112729b3719724f581e6882.png)
9. Select **+ Add**.
13. Select **+ Add**.
![Image of configuration setting](images/57cef926d1b9260fb74a5f460cee887a.png)
10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
![Image of configuration setting](images/368d35b3d6179af92ffdbfd93b226b69.png)
11. Select **Add**.
15. Select **Add**.
12. Select **Save**.
16. Select **Save**.
13. Select **Done**.
17. Select **Done**.
![Image of configuration setting](images/809cef630281b64b8f07f20913b0039b.png)
@ -635,11 +580,12 @@ leaf[subject.OU] = UBF8T346G9
2. Enter the following details:
**General**
- Name: MDATP MDAV Kernel Extension
- Description: MDATP kernel extension (kext)
- Category: None
- Distribution Method: Install Automatically
- Level: Computer Level
- Name: MDATP MDAV Kernel Extension
- Description: MDATP kernel extension (kext)
- Category: None
- Distribution Method: Install Automatically
- Level: Computer Level
![Image of configuration settings](images/24e290f5fc309932cf41f3a280d22c14.png)
@ -648,11 +594,10 @@ leaf[subject.OU] = UBF8T346G9
![Image of configuration settings](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
4. In **Approved Kernel Extensions** Enter the following details:
- Display Name: Microsoft Corp.
- Team ID: UBF8T346G9
- Display Name: Microsoft Corp.
- Team ID: UBF8T346G9
![Image of configuration settings](images/39cf120d3ac3652292d8d1b6d057bd60.png)
@ -677,10 +622,119 @@ leaf[subject.OU] = UBF8T346G9
![Image of configuration settings](images/1c9bd3f68db20b80193dac18f33c22d0.png)
## Step 8: Schedule scans with Microsoft Defender ATP for Mac
## Step 8: Approve System extensions for Microsoft Defender ATP
1. In the **Configuration Profiles**, select **+ New**.
![A screenshot of a social media post Description automatically generated](images/6c8b406ee224335a8c65d06953dc756e.png)
2. Enter the following details:
**General**
- Name: MDATP MDAV System Extensions
- Description: MDATP system extensions
- Category: None
- Distribution Method: Install Automatically
- Level: Computer Level
![Image of configuration settings](images/sysext-new-profile.png)
3. In **System Extensions** select **Configure**.
![Image of configuration settings](images/sysext-configure.png)
4. In **System Extensions** enter the following details:
- Display Name: Microsoft Corp. System Extensions
- System Extension Types: Allowed System Extensions
- Team Identifier: UBF8T346G9
- Allowed System Extensions:
- **com.microsoft.wdav.epsext**
- **com.microsoft.wdav.netext**
![Image of configuration settings](images/sysext-configure2.png)
5. Select the **Scope** tab.
![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
6. Select **+ Add**.
7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
8. Select **+ Add**.
![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
9. Select **Save**.
![Image of configuration settings](images/sysext-scope.png)
10. Select **Done**.
![Image of configuration settings](images/sysext-final.png)
## Step 9: Configure Network Extension
As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
>[!NOTE]
>JAMF doesnt have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
>As such, the following steps provide a workaround that involve signing the configuration profile.
1. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) to your device and save it as `com.microsoft.network-extension.mobileconfig`
2. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMFs built-in certificate authority
3. After the certificate is created and installed to your device, run the following command from the Terminal from a macOS device:
```bash
$ security cms -S -N "<certificate name>" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig
```
![Terminal window with command to create signed configuration](images/netext-create-profile.png)
4. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button.
![Image of upload window](images/netext-upload-file.png)
5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
![Image of upload window](images/netext-choose-file.png)
6. Select **Upload**.
![Image of upload window](images/netext-upload-file2.png)
7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
![Image of new configuration profile](images/netext-profile-page.png)
8. Select the **Scope** tab.
![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
9. Select **+ Add**.
10. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
11. Select **+ Add**.
![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
12. Select **Save**.
![Image of configuration settings](images/netext-scope.png)
13. Select **Done**.
![Image of configuration settings](images/netext-final.png)
## Step 10: Schedule scans with Microsoft Defender ATP for Mac
Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
## Step 9: Deploy Microsoft Defender ATP for macOS
## Step 11: Deploy Microsoft Defender ATP for macOS
1. Navigate to where you saved `wdav.pkg`.
@ -729,10 +783,12 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png)
9. Select **Save**. The package is uploaded to Jamf Pro.
![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
It can take a few minutes for the package to be available for deployment.
![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
It can take a few minutes for the package to be available for deployment.
![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
10. Navigate to the **Policies** page.
@ -765,25 +821,31 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
17. Select **Save**.
![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png)
18. Select the **Scope** tab.
18. Select the **Scope** tab.
![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
19. Select the target computers.
![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png)
**Scope**<br>
**Scope**
Select **Add**.
![Image of configuration settings](images/1c08d097829863778d562c10c5f92b67.png)
![Image of configuration settings](images/216253cbfb6ae738b9f13496b9c799fd.png)
**Self-Service** <br>
**Self-Service**
![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
20. Select **Done**.
![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
![Image of configuration settings](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)

2
windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
View File

@ -31,7 +31,7 @@ ms.topic: conceptual
## Summary
In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Users in your organization are not able to change preferences that are set through the configuration profile.
In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions.
This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile.

6
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -41,6 +41,12 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
## 101.09.49
- User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user
- Improved CPU utilization during on-demand scans
- Performance improvements & bug fixes
## 101.07.23
- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID

Some files were not shown because too many files have changed in this diff Show More