deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into recall-ga-9608247

Browse Source
This commit is contained in:
Meghan Stewart 2025-04-17 07:44:46 -07:00
commit 7957b0169e
271 changed files with 4839 additions and 8490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/AutoLabelAssign.yml vendored
View File

@ -14,6 +14,7 @@ on:
jobs: jobs:
download-payload: download-payload:
name: Download and extract payload artifact name: Download and extract payload artifact
if: github.repository_owner == 'MicrosoftDocs'
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
with: with:
WorkflowId: ${{ github.event.workflow_run.id }} WorkflowId: ${{ github.event.workflow_run.id }}
@ -23,6 +24,7 @@ jobs:
label-assign: label-assign:
name: Run assign and label name: Run assign and label
if: github.repository_owner == 'MicrosoftDocs'
needs: [download-payload] needs: [download-payload]
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelAssign.yml@workflows-prod
with: with:
@ -33,9 +35,3 @@ jobs:
ExcludedBranchList: '["branch1", "branch2"]' ExcludedBranchList: '["branch1", "branch2"]'
secrets: secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }} AccessToken: ${{ secrets.GITHUB_TOKEN }}

4
.github/workflows/AutoLabelMsftContributor.yml vendored
View File

@ -13,7 +13,7 @@ on:
jobs: jobs:
download-payload: download-payload:
if: github.repository_visibility == 'public' if: github.repository_owner == 'MicrosoftDocs' && github.repository_visibility == 'public'
name: Download and extract payload artifact name: Download and extract payload artifact
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ExtractPayload.yml@workflows-prod
with: with:
@ -24,7 +24,7 @@ jobs:
label-msft: label-msft:
name: Label Microsoft contributors name: Label Microsoft contributors
if: github.repository_visibility == 'public' if: github.repository_owner == 'MicrosoftDocs' && github.repository_visibility == 'public'
needs: [download-payload] needs: [download-payload]
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelMsftContributor.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoLabelMsftContributor.yml@workflows-prod
with: with:

25
.github/workflows/AutoPublish.yml vendored Normal file
View File

@ -0,0 +1,25 @@
name: (Scheduled) Publish to live
permissions:
contents: write
pull-requests: write
on:
schedule:
- cron: "25 5,11,17,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
workflow_dispatch:
jobs:
auto-publish:
if: github.repository_owner == 'MicrosoftDocs' && contains(github.event.repository.topics, 'build')
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoPublish.yml@workflows-prod
with:
PayloadJson: ${{ toJSON(github) }}
EnableAutoPublish: true
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}
PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
ClientId: ${{ secrets.M365_APP_CLIENT_ID }}

1
.github/workflows/BackgroundTasks.yml vendored
View File

@ -9,6 +9,7 @@ on:
jobs: jobs:
upload: upload:
if: github.repository_owner == 'MicrosoftDocs'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

4
.github/workflows/BuildValidation.yml vendored
View File

@ -11,11 +11,9 @@ on:
jobs: jobs:
build-status: build-status:
if: github.repository_owner == 'MicrosoftDocs'
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
with: with:
PayloadJson: ${{ toJSON(github) }} PayloadJson: ${{ toJSON(github) }}
secrets: secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }} AccessToken: ${{ secrets.GITHUB_TOKEN }}

4
.github/workflows/LiveMergeCheck.yml vendored
View File

@ -12,11 +12,9 @@ on:
jobs: jobs:
live-merge: live-merge:
if: github.repository_owner == 'MicrosoftDocs'
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-LiveMergeCheck.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-LiveMergeCheck.yml@workflows-prod
with: with:
PayloadJson: ${{ toJSON(github) }} PayloadJson: ${{ toJSON(github) }}
secrets: secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }} AccessToken: ${{ secrets.GITHUB_TOKEN }}

4
.github/workflows/PrFileCount.yml vendored
View File

@ -12,11 +12,9 @@ on:
jobs: jobs:
file-count: file-count:
if: github.repository_owner == 'MicrosoftDocs'
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-PrFileCount.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-PrFileCount.yml@workflows-prod
with: with:
PayloadJson: ${{ toJSON(github) }} PayloadJson: ${{ toJSON(github) }}
secrets: secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }} AccessToken: ${{ secrets.GITHUB_TOKEN }}

4
.github/workflows/ProtectedFiles.yml vendored
View File

@ -10,11 +10,9 @@ on: [pull_request_target]
jobs: jobs:
protected-files: protected-files:
if: github.repository_owner == 'MicrosoftDocs'
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ProtectedFiles.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-ProtectedFiles.yml@workflows-prod
with: with:
PayloadJson: ${{ toJSON(github) }} PayloadJson: ${{ toJSON(github) }}
secrets: secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }} AccessToken: ${{ secrets.GITHUB_TOKEN }}

1
.github/workflows/Stale.yml vendored
View File

@ -11,6 +11,7 @@ on:
jobs: jobs:
stale: stale:
if: github.repository_owner == 'MicrosoftDocs'
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod
with: with:
RunDebug: false RunDebug: false

7
.github/workflows/StaleBranch.yml vendored
View File

@ -5,14 +5,15 @@ permissions:
on: on:
schedule: schedule:
- cron: "0 */12 * * *" - cron: "0 9 1 * *"
workflow_dispatch: # workflow_dispatch:
jobs: jobs:
stale-branch: stale-branch:
if: github.repository_owner == 'MicrosoftDocs'
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-StaleBranch.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-StaleBranch.yml@workflows-prod
with: with:
PayloadJson: ${{ toJSON(github) }} PayloadJson: ${{ toJSON(github) }}
@ -20,6 +21,6 @@ jobs:
"ExampleBranch1", "ExampleBranch1",
"ExampleBranch2" "ExampleBranch2"
]' ]'
ReportOnly: true ReportOnly: false
secrets: secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }} AccessToken: ${{ secrets.GITHUB_TOKEN }}

4
.github/workflows/TierManagement.yml vendored
View File

@ -11,11 +11,11 @@ on:
jobs: jobs:
tier-mgmt: tier-mgmt:
if: github.repository_visibility == 'private' if: github.repository_owner == 'MicrosoftDocs' && github.repository_visibility == 'private'
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-TierManagement.yml@workflows-prod uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-TierManagement.yml@workflows-prod
with: with:
PayloadJson: ${{ toJSON(github) }} PayloadJson: ${{ toJSON(github) }}
EnableWriteSignOff: 1 EnableWriteSignOff: 1
EnableReadOnlySignoff: 0 EnableReadOnlySignoff: 1
secrets: secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }} AccessToken: ${{ secrets.GITHUB_TOKEN }}

45
.openpublishing.redirection.windows-deployment.json
View File

@ -1689,6 +1689,51 @@
"source_path": "windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md", "source_path": "windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md",
"redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview", "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/prepare/windows-autopatch-feature-activation.md",
"redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-communications.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md",
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-feature-deactivation.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview",
"redirect_document_id": false
} }
] ]
} }

63
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configure Take a Test in kiosk mode title: Configure Take a Test in Kiosk Mode
description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages. description: Learn how to configure Windows to execute the Take a Test app in kiosk mode using different methods.
ms.date: 09/06/2024 ms.date: 04/07/2025
ms.topic: how-to ms.topic: how-to
--- ---
@ -11,10 +11,11 @@ Executing Take a Test in kiosk mode is the recommended option for high stakes as
The configuration of Take a Test in kiosk mode can be done using: The configuration of Take a Test in kiosk mode can be done using:
- Microsoft Intune/MDM - Microsoft Intune
- a provisioning package (PPKG) - Configuration service provider (CSP)
- A provisioning package (PPKG)
- PowerShell - PowerShell
- the Settings app - The Settings app
When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed. When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed.
The other options allow you to configure Take a Test in kiosk mode using a local account, an account defined in the directory, or a guest account. The other options allow you to configure Take a Test in kiosk mode using a local account, an account defined in the directory, or a guest account.
@ -26,19 +27,7 @@ The other options allow you to configure Take a Test in kiosk mode using a local
Follow the instructions below to configure your devices, selecting the option that best suits your needs. Follow the instructions below to configure your devices, selecting the option that best suits your needs.
# [:::image type="icon" source="images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) # [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
You can use Intune for Education or a custom profile in Microsoft Intune:
- Intune for Education provides a simpler experience
- A custom profile provides more flexibility and controls over the configuration
> [!IMPORTANT]
> Currently, the policy created in Intune for Education is applicable to Windows 10 and Windows 11 only. **It will not apply to Windows 11 SE devices.**
>
> If you want to configure Take a Test for Windows 11 SE devices, you must use a custom policy.
### Configure Take a Test from Intune for Education
To configure devices using Intune for Education, follow these steps: To configure devices using Intune for Education, follow these steps:
@ -51,23 +40,19 @@ To configure devices using Intune for Education, follow these steps:
:::image type="content" source="./images/takeatest/intune-education-take-a-test-profile.png" alt-text="Intune for Education - creation of a Take a Test profile." lightbox="./images/takeatest/intune-education-take-a-test-profile.png" border="true"::: :::image type="content" source="./images/takeatest/intune-education-take-a-test-profile.png" alt-text="Intune for Education - creation of a Take a Test profile." lightbox="./images/takeatest/intune-education-take-a-test-profile.png" border="true":::
### Configure Take a Test with a custom policy # [:::image type="icon" source="images/icons/csp.svg"::: **CSP**](#tab/csp)
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] To configure devices using configuration service providers, use the following settings:
| Setting | | Setting |
|--------| |--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** </li><li> Data type: **Integer** </li><li>Value: **1**</li>| | - **OMA-URI:** `./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/`[InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotdisplaylastsignedin) <br>- **Data type:** Integer <br>- **Value:** `1`|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching`** </li><li> Data type: **Integer**</li><li>Value: **1**</li>| | - **OMA-URI:** `./Vendor/MSFT/Policy/Config/WindowsLogon/`[HideFastUserSwitching](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) <br>- **Data type:** Integer<br>- **Value:** `1`|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/AccountModel`**</li><li>Data type: **Integer** </li><li> Value: **1**</li>| | - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[AccountModel](/windows/client-management/mdm/sharedpc-csp#accountmodel)<br>- **Data type:** Integer <br>- **Value:** `1`|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableAccountManager`**</li><li>Data type: **Boolean** </li><li> Value: **True**</li>| | - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[EnableAccountManager](/windows/client-management/mdm/sharedpc-csp#enableaccountmanager)<br>- **Data type:** Boolean <br>- **Value:** `True`|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeAUMID`**</li><li>Data type: **String** </li><li> Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**</li>| | - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[KioskModeAUMID](/windows/client-management/mdm/sharedpc-csp#kioskmodeaumid)<br>- **Data type:** String <br>- **Value:** `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App`|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText`** </li><li>Data type: **String** </li><li> Value: **Take a Test** (or a string of your choice to display in the sing-in screen)</li>| | - **OMA-URI:** `./Vendor/MSFT/SharedPC/`[KioskModeUserTileDisplayText](/windows/client-management/mdm/sharedpc-csp#KioskModeUserTileDisplayText) <br>- **Data type:** String <br>- **Value:** **Take a Test** (or a string of your choice to display in the sing-in screen)|
| <li> OMA-URI: **`./Vendor/MSFT/SecureAssessment/LaunchURI`** </li><li>Data type: **String** </li><li> Value: **\<provide testing URL>**</li>| | - **OMA-URI:** `./Vendor/MSFT/SecureAssessment/`[LaunchURI](/windows/client-management/mdm/sharedpc-csp#LaunchURI) <br>- **Data type:** String <br>- **Value:** \<testing URL>|
:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
# [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) # [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -88,13 +73,13 @@ Create a provisioning package using the Set up School PCs app, configuring the s
| Setting | | Setting |
|--------| |--------|
| <li> Path: **`Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** </li><li>Value: **Enabled**</li>| | - Path: `Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn` <br>- **Value:** `Enabled`|
| <li> Path: **`Policies/WindowsLogon/HideFastUserSwitching`** </li><li>Value: **True**</li>| | - Path: `Policies/WindowsLogon/HideFastUserSwitching` <br>- **Value:** True|
| <li> Path: **`SharedPC/AccountManagement/AccountModel`** </li><li>Value: **Domain-joined only**</li>| | - Path: `SharedPC/AccountManagement/AccountModel` <br>- **Value:** Domain-joined only|
| <li> Path: **`SharedPC/AccountManagement/EnableAccountManager`** </li><li>Value: **True**</li>| | - Path: `SharedPC/AccountManagement/EnableAccountManager` <br>- **Value:** True|
| <li> Path: **`SharedPC/AccountManagement/KioskModeAUMID`** </li><li>Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**</li>| | - Path: `SharedPC/AccountManagement/KioskModeAUMID` <br>- **Value:** **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**|
| <li> Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`** </li><li>Value: **Take a Test** (or a string of your choice to display in the sing-in screen)</li>| | - Path: `SharedPC/AccountManagement/KioskModeUserTileDisplayText` <br>- **Value:** Take a Test (or a string of your choice to display in the sing-in screen)|
| <li> Path: **`TakeATest/LaunchURI/`** </li><li>Value: **\<provide testing URL>**</li>| | - Path: `TakeATest/LaunchURI/` <br>- **Value:** \<testing URL>|
:::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true"::: :::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true":::

10
education/windows/images/icons/csp.svg Normal file
View File

@ -0,0 +1,10 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_461_479)">
<path d="M9.01098 0.225006C9.67158 0.23262 10.3296 0.30894 10.9743 0.452742C11.2558 0.515517 11.4663 0.750165 11.4982 1.03677L11.6514 2.41094C11.7208 3.04188 12.2535 3.51976 12.8885 3.52043C13.0593 3.5207 13.2281 3.48515 13.3859 3.41535L14.6464 2.86161C14.9086 2.74644 15.215 2.80923 15.4106 3.01826C16.3216 3.99118 17 5.15804 17.3949 6.43103C17.4801 6.70553 17.3821 7.00383 17.1508 7.17436L16.0334 7.99795C15.7146 8.23213 15.5264 8.60401 15.5264 8.99956C15.5264 9.39502 15.7146 9.7669 16.0341 10.0016L17.1524 10.8255C17.3838 10.9959 17.4819 11.2943 17.3967 11.5689C17.002 12.8417 16.3239 14.0084 15.4135 14.9815C15.218 15.1905 14.9119 15.2535 14.6498 15.1385L13.3841 14.5841C13.0219 14.4256 12.6061 14.4488 12.2639 14.6466C11.9217 14.8443 11.694 15.1931 11.6505 15.5859L11.4983 16.96C11.4669 17.2433 11.261 17.4764 10.9836 17.5424C9.68004 17.8525 8.32185 17.8525 7.01823 17.5424C6.74092 17.4764 6.53495 17.2433 6.50356 16.96L6.35162 15.588C6.30699 15.1959 6.07891 14.8482 5.73698 14.6511C5.39506 14.454 4.97988 14.4309 4.61898 14.5885L3.35301 15.143C3.0908 15.258 2.78463 15.195 2.5891 14.9858C1.67816 14.0117 1.00007 12.8435 0.605881 11.5693C0.520975 11.2949 0.619075 10.9967 0.850366 10.8264L1.96936 10.002C2.28809 9.7678 2.47632 9.39592 2.47632 9.00046C2.47632 8.60491 2.28809 8.23303 1.96894 7.99858L0.850645 7.17557C0.619021 7.00511 0.520831 6.70661 0.606034 6.43193C1.00091 5.15894 1.67935 3.99208 2.59032 3.01916C2.78603 2.81013 3.09235 2.74734 3.35452 2.86251L4.61486 3.41615C4.97751 3.57531 5.39442 3.55127 5.73819 3.35043C6.08048 3.15189 6.30836 2.8028 6.35235 2.40988L6.50542 1.03677C6.53739 0.750021 6.74807 0.515292 7.02972 0.452652C7.67529 0.309084 8.334 0.232791 9.01098 0.225006ZM8.99973 6.29996C7.50852 6.29996 6.29973 7.5088 6.29973 9.00001C6.29973 10.4911 7.50852 11.7 8.99973 11.7C10.4909 11.7 11.6997 10.4911 11.6997 9.00001C11.6997 7.5088 10.4909 6.29996 8.99973 6.29996Z" fill="#0883D9"/>
</g>
<defs>
<clipPath id="clip0_461_479">
<rect width="18" height="18" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.1 KiB

BIN
education/windows/images/takeatest/intune-take-a-test-custom-profile.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 221 KiB

4
education/windows/take-a-test-app-technical.md
View File

@ -1,7 +1,7 @@
--- ---
title: Take a Test app technical reference title: Take a Test App Technical Reference
description: List of policies and settings applied by the Take a Test app. description: List of policies and settings applied by the Take a Test app.
ms.date: 09/06/2024 ms.date: 04/07/2025
ms.topic: reference ms.topic: reference
--- ---

2
includes/licensing/_edition-requirements.md
View File

@ -41,7 +41,7 @@ ms.topic: include
|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes| |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes| |**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes| |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](/defender-office-365/app-guard-for-office-install)**|❌|Yes|❌|Yes|
|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes| |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|

4
includes/licensing/_licensing-requirements.md
View File

@ -1,7 +1,7 @@
--- ---
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 11/02/2023 ms.date: 04/14/2025
ms.topic: include ms.topic: include
--- ---
@ -41,7 +41,7 @@ ms.topic: include
|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes| |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes| |**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌| |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](/defender-office-365/app-guard-for-office-install)**|❌|❌|❌|❌|❌|
|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes| |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes| |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|Yes|

14
includes/licensing/unbranded-boot.md Normal file
View File

@ -0,0 +1,14 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 04/09/2025
ms.topic: include
---
### Windows edition requirements
The following list contains the Windows editions that support Unbranded Boot:
✅ Enterprise / Enterprise LTSC\
✅ Education\
✅ IoT Enterprise / IoT Enterprise LTSC

BIN
windows/client-management/images/9687427-text-actions-click-to-do.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 MiB

106
windows/client-management/manage-click-to-do.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Manage Click to Do for Windows clients
description: Learn how to manage Click to Do for commercial environments and about Click to Do features.
ms.topic: how-to
ms.subservice: windows-copilot
ms.date: 03/28/2025
ms.author: mstewart
author: mestew
ms.collection:
- windows-copilot
- magic-ai-copilot
appliesto:
- ✅ <a href="https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs" target="_blank">Copilot+ PCs</a>
---
# Manage Click to Do
<!--9687427-->
>**Looking for consumer information?** See [Click to Do: do more with what's on your screen](https://support.microsoft.com/topic/6848b7d5-7fb0-4c43-b08a-443d6d3f5955).
Click to Do (preview) helps users to get things done faster by identifying text and images that are currently on their screen so they can perform actions on them. This article provides information about Click to Do and how to manage it in a commercial environment.
> [!NOTE]
> - The policy to manage Click to Do is now available in preview to Copilot+ PCs through the Windows Insider Program. For more information, see the [Windows Insider blog](https://blogs.windows.com/windows-insider/2025/03/28/announcing-windows-11-insider-preview-build-26120-3653-beta-channel/).
> - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined.
> - Click to Do is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
## What is Click to Do?
Click to Do (preview) analyzes what's on the screen and then allows users to choose the text or image they want to take action on. Users can open Click to Do by using **Windows key** + **Q** or with **Windows key** + **mouse click**. Other entry points for Click to Do include Snipping Tool, search results, and the Start menu.
The analysis of screenshots is always performed locally on the device. Analysis only begins after users actively engage with Click to Do and ends when they exit Click to Do. Click to Do only identifies text and images, not the content of those text or images. It doesn't analyze any content in, for example, minimized applications that aren't on the screen.
Content is only shared if users choose to complete an action like **Search the web**. When Click to Do is active, the cursor is blue and white. The cursor also changes shape depending on the type of info beneath it. What users can do with the info changes based on what kind of content Click to Do detects. For instance, users can perform actions on text such as copy, summarize or rewrite it, or share it. For images, users can perform actions such as copy, save, or blurring the background using Microsoft Photos.
:::image type="content" source="images/9687427-text-actions-click-to-do.png" alt-text="Screenshot of the text actions in Click to Do" lightbox="images/9687427-text-actions-click-to-do.png":::
## System requirements
Click to Do has the following minimum requirements:
- A [Copilot+ PC](https://aka.ms/copilotpluspcs)
- 40 TOPs NPU ([neural processing unit](https://support.microsoft.com/windows/all-about-neural-processing-units-npus-e77a5637-7705-4915-96c8-0c6a975f9db4))
- 16 GB RAM
- 8 logical processors
- 256 GB storage capacity
The more intelligent text actions are available only on Snapdragon-powered Copilot+ PCs today when your language is set to English with support for AMD and Intel-powered Copilot+ PCs coming soon.
## Configure policy for Click to Do
When activated, Click to Do takes a screenshot of the user's screen and analyzes it to present actions. Click to Do ends when users exit it, and it can't take screenshots while closed. Screenshot analysis is always performed locally on the device. By default, Click to Do is enabled for users.
The policy setting below allows you to determine whether Click to Do is available for users on their device:
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[DisableClickToDo](mdm/policy-csp-windowsai.md#disableclicktodo) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableClickToDo](mdm/policy-csp-windowsai.md#disableclicktodo)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Disable Click to Do** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Disable Click to Do**|
- When the policy is enabled, the Click to Do component and entry points won't be available to users.
- When the policy is disabled or not configured, users will have Click to Do available on their device.
> [!Important]
> This policy doesn't affect Click to Do in Recall. For more information, see [Manage Recall](manage-recall.md).
## Click to Do privacy considerations
When you choose to send info from Click to Do to an app, like Paint, Click to Do will temporarily save this info in order to complete the transfer. Click to Do creates a temporary file in the following location:
- `C:\Users\{username}\AppData\Local\Temp`
Temporary files may also be saved when you choose send feedback. These temporary files aren't saved long term. Click to Do doesn't keep any content from your screen after completing the requested action, but some [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) is gathered to keep Click to Do secure, up to date, and working.
Click to Do's more intelligent text actions, including **Summarize**, **Rewrite (Casual)**, **Rewrite (Formal)**,**Rewrite (Refine)**, and **Create a bulleted list** are powered by a state-of-the-art small language model called Phi Silica. Phi Silica leverages the NPU and the language model runs locally on Copilot+ PCs. Phi Silica ships inbox with Windows on Copilot+ PCs.
When a user clicks on the Click to Do text actions, the selected text and the chosen action are sent to Phi Silica as part of a prompt. Phi Silica intelligently rewrites the selected text as per the user's request and streams back the response from the model. Phi Silica provides responses quickly and efficiently, using little power. For more information, see [Phi Silica, small but mighty on-device SLM](https://blogs.windows.com/windowsexperience/?p=179250).
In keeping with Microsoft's commitment to data privacy and security, all saved images and processed data are kept on the device and processed locally. However, Click to Do allows you to choose if you want to get more information about your selected content online. When you choose one of the following Click to Do actions, the selected content is sent to the online provider from your local device to complete your request:
- **Search the web**: Sends the selected content to Bing using Microsoft Edge
- **Open website**: Opens the selected website in your default browser
- **Visual search with Bing**: Sends the selected content to [Bing visual search](https://support.microsoft.com/topic/62771a0c-4daa-47e4-a9f7-e1bfa85f0d7c) using your default browser
## Microsoft's commitment to responsible AI and Privacy
Microsoft has been working to advance AI responsibly since 2017, when we first defined our AI principles and later operationalized our approach through our Responsible AI Standard. Privacy and security are core principles as we develop and deploy AI systems. We work to help our customers use our AI products responsibly, sharing our learnings, and building trust-based partnerships. For more about our responsible AI efforts, the principles that guide us, and the tools and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai).
To provide clarity on how each AI feature works, it's important for you to understand its capabilities and limitations. You should understand the choices available to you in an AI feature and the responsibility associated with those choices.
Click to Do suggests actions that you can take, and you can choose the apps that will be the provider (if applicable) for those actions. Once you choose the action and provider for the action, the results from that action are the responsibility of the provider. For example, from Click to Do you can choose the action Remove background with Paint, which means you've chosen Paint as the provider for the action. Once you have selected the action from the Click to Do context menu, it launches the Paint app and the selected image is processed by Paint.
Click to Do uses optical character recognition (OCR) on your PC to detect text entities on screenshots. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note).
Click to Do's intelligent text actions use a small language model called Phi Silica. For more information on Phi Silica, see [Get started with Phi Silica in the Windows App SDK](/windows/ai/apis/phi-silica#responsible-ai). For information about the Responsible AI principles guiding Phi Silica deployment and the safety measures in place when using generative language models, see [Responsible Generative AI Development on Windows](/windows/ai/rai).
Click to Do's models have undergone fairness assessments, alongside comprehensive responsible AI, security and privacy assessments, to make sure the technology is effective and equitable while adhering to Microsoft's Responsible AI best practices.
## Related links
- [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai)
- [Responsible AI](https://www.microsoft.com/ai/responsible-ai)

20
windows/client-management/mdm/bitlocker-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: BitLocker CSP title: BitLocker CSP
description: Learn more about the BitLocker CSP. description: Learn more about the BitLocker CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -175,7 +175,7 @@ The expected values for this policy are:
1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed. 1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Microsoft Entra joined devices. 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Entra ID joined devices.
Windows will attempt to silently enable BitLocker for value 0. Windows will attempt to silently enable BitLocker for value 0.
<!-- Device-AllowWarningForOtherDiskEncryption-Description-End --> <!-- Device-AllowWarningForOtherDiskEncryption-Description-End -->
@ -209,7 +209,7 @@ Windows will attempt to silently enable BitLocker for value 0.
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Microsoft Entra joined devices. Windows will attempt to silently enable BitLocker for value 0. | | 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0. |
| 1 (Default) | Warning prompt allowed. | | 1 (Default) | Warning prompt allowed. |
<!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End --> <!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End -->
@ -251,9 +251,9 @@ Windows will attempt to silently enable BitLocker for value 0.
<!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin --> <!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and hybrid domain joined devices. Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Entra ID and hybrid domain joined devices.
When not configured, Rotation is turned on by default for Microsoft Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required. When not configured, Rotation is turned on by default for Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives". For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
@ -261,8 +261,8 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
Supported Values: 0 - Numeric Recovery Passwords rotation OFF. Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value 1 - Numeric Recovery Passwords Rotation upon use ON for Entra ID joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and hybrid devices. 2 - Numeric Recovery Passwords Rotation upon use ON for both Entra ID and hybrid devices.
<!-- Device-ConfigureRecoveryPasswordRotation-Description-End --> <!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
<!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin --> <!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
@ -285,8 +285,8 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 (Default) | Refresh off (default). | | 0 (Default) | Refresh off (default). |
| 1 | Refresh on for Microsoft Entra joined devices. | | 1 | Refresh on for Entra ID-joined devices. |
| 2 | Refresh on for both Microsoft Entra joined and hybrid-joined devices. | | 2 | Refresh on for both Entra ID-joined and hybrid-joined devices. |
<!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End --> <!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End -->
<!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin --> <!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin -->
@ -1212,7 +1212,7 @@ Disabling the policy won't turn off the encryption on the storage card. But will
<!-- Device-RotateRecoveryPasswords-Description-Begin --> <!-- Device-RotateRecoveryPasswords-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on a Microsoft Entra ID or hybrid-joined device. Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Entra ID or hybrid-joined device.
This policy is Execute type and rotates all numeric passwords when issued from MDM tools. This policy is Execute type and rotates all numeric passwords when issued from MDM tools.

20
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: BitLocker DDF file title: BitLocker DDF file
description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider. description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider.
ms.date: 02/13/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -580,7 +580,7 @@ The following XML file contains the device description framework (DDF) for the B
1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
the value 0 only takes affect on Azure Active Directory joined devices. the value 0 only takes affect on Entra ID joined devices.
Windows will attempt to silently enable BitLocker for value 0. Windows will attempt to silently enable BitLocker for value 0.
If you want to disable this policy use the following SyncML: If you want to disable this policy use the following SyncML:
@ -600,7 +600,7 @@ The following XML file contains the device description framework (DDF) for the B
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>0</MSFT:Value> <MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.</MSFT:ValueDescription> <MSFT:ValueDescription>Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Entra ID joined devices. Windows will attempt to silently enable BitLocker for value 0.</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>1</MSFT:Value> <MSFT:Value>1</MSFT:Value>
@ -680,15 +680,15 @@ The following XML file contains the device description framework (DDF) for the B
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices. <Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Entra ID and Hybrid domain joined devices.
When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when When not configured, Rotation is turned on by default for Entra ID only and off on Hybrid. The Policy will be effective only when
Active Directory back up for recovery password is configured to required. Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives" For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
Supported Values: 0 - Numeric Recovery Passwords rotation OFF. Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value 1 - Numeric Recovery Passwords Rotation upon use ON for Entra ID joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices 2 - Numeric Recovery Passwords Rotation upon use ON for both Entra ID and Hybrid devices
If you want to disable this policy use the following SyncML: If you want to disable this policy use the following SyncML:
@ -716,11 +716,11 @@ The following XML file contains the device description framework (DDF) for the B
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>1</MSFT:Value> <MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Refresh on for Azure AD-joined devices</MSFT:ValueDescription> <MSFT:ValueDescription>Refresh on for Entra ID-joined devices</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>2</MSFT:Value> <MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Refresh on for both Azure AD-joined and hybrid-joined devices</MSFT:ValueDescription> <MSFT:ValueDescription>Refresh on for both Entra ID-joined and hybrid-joined devices</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -731,7 +731,7 @@ The following XML file contains the device description framework (DDF) for the B
<AccessType> <AccessType>
<Exec /> <Exec />
</AccessType> </AccessType>
<Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. <Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Entra ID or hybrid-joined device.
This policy is Execute type and rotates all numeric passwords when issued from MDM tools. This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
The policy only comes into effect when Active Directory backup for a recovery password is configured to "required." The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."

10
windows/client-management/mdm/firewall-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: Firewall CSP title: Firewall CSP
description: Learn more about the Firewall CSP. description: Learn more about the Firewall CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -1896,9 +1896,7 @@ New rules have the EdgeTraversal property disabled by default.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Description-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.
If not specified - a new rule is disabled by default.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Description-End --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Editable-Begin --> <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-Enabled-Editable-Begin -->
@ -3254,9 +3252,7 @@ If not specified the default is OUT.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Description-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.
If not specified - a new rule is disabled by default.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Description-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Description-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Editable-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Editable-Begin -->

8
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: Firewall DDF file title: Firewall DDF file
description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider. description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider.
ms.date: 02/13/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -4060,8 +4060,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. <Description>Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.</Description>
If not specified - a new rule is disabled by default.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -4760,8 +4759,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. <Description>Indicates whether the rule is enabled or disabled. If not specified - a new rule is enabled by default.</Description>
If not specified - a new rule is disabled by default.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>

39
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
--- ---
title: Configuration service provider preview policies title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview. description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 02/13/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -23,6 +23,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## ApplicationManagement ## ApplicationManagement
- [AllowedNonAdminPackageFamilyNameRules](policy-csp-applicationmanagement.md#allowednonadminpackagefamilynamerules) - [AllowedNonAdminPackageFamilyNameRules](policy-csp-applicationmanagement.md#allowednonadminpackagefamilynamerules)
- [ConfigureMSIXAuthenticationAuthorizedDomains](policy-csp-applicationmanagement.md#configuremsixauthenticationauthorizeddomains)
## ClientCertificateInstall CSP ## ClientCertificateInstall CSP
@ -92,9 +93,8 @@ This article lists the policies that are applicable for Windows Insider Preview
## HumanPresence ## HumanPresence
- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen) - [ForceOnlookerDetection](policy-csp-humanpresence.md#forceonlookerdetection)
- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim) - [ForceOnlookerDetectionAction](policy-csp-humanpresence.md#forceonlookerdetectionaction)
- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
## InternetExplorer ## InternetExplorer
@ -111,6 +111,16 @@ This article lists the policies that are applicable for Windows Insider Preview
- [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation) - [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation)
- [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages) - [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages)
## LanmanWorkstation
- [AuditInsecureGuestLogon](policy-csp-lanmanworkstation.md#auditinsecureguestlogon)
- [AuditServerDoesNotSupportEncryption](policy-csp-lanmanworkstation.md#auditserverdoesnotsupportencryption)
- [AuditServerDoesNotSupportSigning](policy-csp-lanmanworkstation.md#auditserverdoesnotsupportsigning)
- [EnableMailslots](policy-csp-lanmanworkstation.md#enablemailslots)
- [MaxSmb2Dialect](policy-csp-lanmanworkstation.md#maxsmb2dialect)
- [MinSmb2Dialect](policy-csp-lanmanworkstation.md#minsmb2dialect)
- [RequireEncryption](policy-csp-lanmanworkstation.md#requireencryption)
## LocalPoliciesSecurityOptions ## LocalPoliciesSecurityOptions
- [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache) - [InteractiveLogon_NumberOfPreviousLogonsToCache](policy-csp-localpoliciessecurityoptions.md#interactivelogon_numberofpreviouslogonstocache)
@ -133,6 +143,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning) - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
## Power
- [EnableEnergySaver](policy-csp-power.md#enableenergysaver)
## Printers ## Printers
- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy) - [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
@ -141,6 +155,17 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime) - [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
## RemoteRemediation CSP
- [EnableCloudRemediation](remoteremediation-csp.md#cloudremediationsettingsenablecloudremediation)
- [EnableAutoRemediation](remoteremediation-csp.md#cloudremediationsettingsautoremediationsettingsenableautoremediation)
- [SetTimeToReboot](remoteremediation-csp.md#cloudremediationsettingsautoremediationsettingssettimetoreboot)
- [SetRetryInterval](remoteremediation-csp.md#cloudremediationsettingsautoremediationsettingssetretryinterval)
- [NetworkSSID](remoteremediation-csp.md#cloudremediationsettingsnetworksettingsnetworkcredentialsnetworkssid)
- [NetworkPassword](remoteremediation-csp.md#cloudremediationsettingsnetworksettingsnetworkcredentialsnetworkpassword)
- [NetworkPasswordEncryptionType](remoteremediation-csp.md#cloudremediationsettingsnetworksettingsnetworkcredentialsnetworkpasswordencryptiontype)
- [NetworkPasswordEncryptionStore](remoteremediation-csp.md#cloudremediationsettingsnetworksettingsnetworkcredentialsnetworkpasswordencryptionstore)
## SettingsSync ## SettingsSync
- [EnableWindowsbackup](policy-csp-settingssync.md#enablewindowsbackup) - [EnableWindowsbackup](policy-csp-settingssync.md#enablewindowsbackup)
@ -154,6 +179,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled) - [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
## System
- [DisableCHPE](policy-csp-system.md#disablechpe)
## TextInput ## TextInput
- [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability) - [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
@ -169,10 +198,12 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI ## WindowsAI
- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall) - [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
- [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall) - [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
- [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) - [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
- [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) - [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
- [DisableClickToDo](policy-csp-windowsai.md#disableclicktodo)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator) - [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator) - [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
- [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill) - [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)

2
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -143,6 +143,8 @@ Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant
<!-- AllowMicrosoftAccountSignInAssistant-Editable-Begin --> <!-- AllowMicrosoftAccountSignInAssistant-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!CAUTION]
> If the Microsoft Account Sign-In Assistant service is disabled, the initial digital license activation with a Multiple Activation Key (MAK) or Digital Product Key (DPK) will fail.
<!-- AllowMicrosoftAccountSignInAssistant-Editable-End --> <!-- AllowMicrosoftAccountSignInAssistant-Editable-End -->
<!-- AllowMicrosoftAccountSignInAssistant-DFProperties-Begin --> <!-- AllowMicrosoftAccountSignInAssistant-DFProperties-Begin -->

4
windows/client-management/mdm/policy-csp-admx-desktop.md
View File

@ -1,7 +1,7 @@
--- ---
title: ADMX_Desktop Policy CSP title: ADMX_Desktop Policy CSP
description: Learn more about the ADMX_Desktop Area in Policy CSP. description: Learn more about the ADMX_Desktop Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 03/20/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -224,7 +224,7 @@ This setting prevents users from trying to enable or disable Active Desktop whil
If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it. If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE] > [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored.
<!-- ForceActiveDesktopOn-Description-End --> <!-- ForceActiveDesktopOn-Description-End -->
<!-- ForceActiveDesktopOn-Editable-Begin --> <!-- ForceActiveDesktopOn-Editable-Begin -->

50
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,7 +1,7 @@
--- ---
title: ApplicationManagement Policy CSP title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP. description: Learn more about the ApplicationManagement Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -635,6 +635,54 @@ Manages non-Administrator users' ability to install Windows app packages.
<!-- BlockNonAdminUserInstall-End --> <!-- BlockNonAdminUserInstall-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Begin -->
## ConfigureMSIXAuthenticationAuthorizedDomains
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Applicability-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ConfigureMSIXAuthenticationAuthorizedDomains
```
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-OmaUri-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Description-Begin -->
<!-- Description-Source-DDF -->
Defines a regular expression in ECMA Script. When performing a streaming MSIX install, if this regular expression matches the domain name (uppercased) then the user's EntraID OAuth token will be attached to the request.
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Description-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Editable-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-DFProperties-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureMSIXAuthenticationAuthorizedDomains |
| Path | AppxPackageManager > AT > WindowsComponents > AppxDeployment |
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-GpMapping-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-Examples-End -->
<!-- ConfigureMSIXAuthenticationAuthorizedDomains-End -->
<!-- DisableStoreOriginatedApps-Begin --> <!-- DisableStoreOriginatedApps-Begin -->
## DisableStoreOriginatedApps ## DisableStoreOriginatedApps

8
windows/client-management/mdm/policy-csp-defender.md
View File

@ -1,7 +1,7 @@
--- ---
title: Defender Policy CSP title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP. description: Learn more about the Defender Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -728,7 +728,7 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
|:--|:--| |:--|:--|
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 0 | | Default Value | 1 |
<!-- AllowScanningNetworkFiles-DFProperties-End --> <!-- AllowScanningNetworkFiles-DFProperties-End -->
<!-- AllowScanningNetworkFiles-AllowedValues-Begin --> <!-- AllowScanningNetworkFiles-AllowedValues-Begin -->
@ -736,8 +736,8 @@ This policy setting allows you to configure scheduled scans and on-demand (manua
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 (Default) | Not allowed. Turns off scanning of network files. | | 0 | Not allowed. Turns off scanning of network files. |
| 1 | Allowed. Scans network files. | | 1 (Default) | Allowed. Scans network files. |
<!-- AllowScanningNetworkFiles-AllowedValues-End --> <!-- AllowScanningNetworkFiles-AllowedValues-End -->
<!-- AllowScanningNetworkFiles-GpMapping-Begin --> <!-- AllowScanningNetworkFiles-GpMapping-Begin -->

2
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -219,6 +219,8 @@ Specifies how your client(s) can discover Microsoft Connected Cache servers dyna
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE] > [!NOTE]
> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#docachehost) policy value if that value has been set. > If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#docachehost) policy value if that value has been set.
>
> If [LocalPolicyMerge](/windows/security/operating-system-security/network-security/windows-firewall/rules#local-policy-merge-and-application-rules) setting is configured (e.g. as part of security baselines) it can impact DHCP client and prevent it from retrieving this DHCP option, especially in Autopilot scenarios.
<!-- DOCacheHostSource-Editable-End --> <!-- DOCacheHostSource-Editable-End -->
<!-- DOCacheHostSource-DFProperties-Begin --> <!-- DOCacheHostSource-DFProperties-Begin -->

152
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -1,7 +1,7 @@
--- ---
title: HumanPresence Policy CSP title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP. description: Learn more about the HumanPresence Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -529,31 +529,31 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will
<!-- ForceLockTimeout-End --> <!-- ForceLockTimeout-End -->
<!-- ForcePrivacyScreen-Begin --> <!-- ForceOnlookerDetection-Begin -->
## ForcePrivacyScreen ## ForceOnlookerDetection
<!-- ForcePrivacyScreen-Applicability-Begin --> <!-- ForceOnlookerDetection-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreen-Applicability-End --> <!-- ForceOnlookerDetection-Applicability-End -->
<!-- ForcePrivacyScreen-OmaUri-Begin --> <!-- ForceOnlookerDetection-OmaUri-Begin -->
```Device ```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen ./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceOnlookerDetection
``` ```
<!-- ForcePrivacyScreen-OmaUri-End --> <!-- ForceOnlookerDetection-OmaUri-End -->
<!-- ForcePrivacyScreen-Description-Begin --> <!-- ForceOnlookerDetection-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out. Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
<!-- ForcePrivacyScreen-Description-End --> <!-- ForceOnlookerDetection-Description-End -->
<!-- ForcePrivacyScreen-Editable-Begin --> <!-- ForceOnlookerDetection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Editable-End --> <!-- ForceOnlookerDetection-Editable-End -->
<!-- ForcePrivacyScreen-DFProperties-Begin --> <!-- ForceOnlookerDetection-DFProperties-Begin -->
**Description framework properties**: **Description framework properties**:
| Property name | Property value | | Property name | Property value |
@ -561,9 +561,9 @@ Determines whether detect when other people are looking at my screen is forced o
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 0 | | Default Value | 0 |
<!-- ForcePrivacyScreen-DFProperties-End --> <!-- ForceOnlookerDetection-DFProperties-End -->
<!-- ForcePrivacyScreen-AllowedValues-Begin --> <!-- ForceOnlookerDetection-AllowedValues-Begin -->
**Allowed values**: **Allowed values**:
| Value | Description | | Value | Description |
@ -571,48 +571,48 @@ Determines whether detect when other people are looking at my screen is forced o
| 2 | ForcedOff. | | 2 | ForcedOff. |
| 1 | ForcedOn. | | 1 | ForcedOn. |
| 0 (Default) | DefaultToUserChoice. | | 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreen-AllowedValues-End --> <!-- ForceOnlookerDetection-AllowedValues-End -->
<!-- ForcePrivacyScreen-GpMapping-Begin --> <!-- ForceOnlookerDetection-GpMapping-Begin -->
**Group policy mapping**: **Group policy mapping**:
| Name | Value | | Name | Value |
|:--|:--| |:--|:--|
| Name | ForcePrivacyScreen | | Name | ForceOnlookerDetection |
| Path | Sensors > AT > WindowsComponents > HumanPresence | | Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreen-GpMapping-End --> <!-- ForceOnlookerDetection-GpMapping-End -->
<!-- ForcePrivacyScreen-Examples-Begin --> <!-- ForceOnlookerDetection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Examples-End --> <!-- ForceOnlookerDetection-Examples-End -->
<!-- ForcePrivacyScreen-End --> <!-- ForceOnlookerDetection-End -->
<!-- ForcePrivacyScreenDim-Begin --> <!-- ForceOnlookerDetectionAction-Begin -->
## ForcePrivacyScreenDim ## ForceOnlookerDetectionAction
<!-- ForcePrivacyScreenDim-Applicability-Begin --> <!-- ForceOnlookerDetectionAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenDim-Applicability-End --> <!-- ForceOnlookerDetectionAction-Applicability-End -->
<!-- ForcePrivacyScreenDim-OmaUri-Begin --> <!-- ForceOnlookerDetectionAction-OmaUri-Begin -->
```Device ```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim ./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceOnlookerDetectionAction
``` ```
<!-- ForcePrivacyScreenDim-OmaUri-End --> <!-- ForceOnlookerDetectionAction-OmaUri-End -->
<!-- ForcePrivacyScreenDim-Description-Begin --> <!-- ForceOnlookerDetectionAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out. Determines whether the Onlooker Detection action is forced by the MDM policy. The user won't be able to change this setting and the toggle in the UI will be greyed out.
<!-- ForcePrivacyScreenDim-Description-End --> <!-- ForceOnlookerDetectionAction-Description-End -->
<!-- ForcePrivacyScreenDim-Editable-Begin --> <!-- ForceOnlookerDetectionAction-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Editable-End --> <!-- ForceOnlookerDetectionAction-Editable-End -->
<!-- ForcePrivacyScreenDim-DFProperties-Begin --> <!-- ForceOnlookerDetectionAction-DFProperties-Begin -->
**Description framework properties**: **Description framework properties**:
| Property name | Property value | | Property name | Property value |
@ -620,91 +620,33 @@ Determines whether dim the screen when other people are looking at my screen che
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 0 | | Default Value | 0 |
<!-- ForcePrivacyScreenDim-DFProperties-End --> <!-- ForceOnlookerDetectionAction-DFProperties-End -->
<!-- ForcePrivacyScreenDim-AllowedValues-Begin --> <!-- ForceOnlookerDetectionAction-AllowedValues-Begin -->
**Allowed values**: **Allowed values**:
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 2 | ForcedUnchecked. | | 3 | ForcedDimAndNotify. |
| 1 | ForcedChecked. | | 2 | ForcedNotify. |
| 1 | ForcedDim. |
| 0 (Default) | DefaultToUserChoice. | | 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenDim-AllowedValues-End --> <!-- ForceOnlookerDetectionAction-AllowedValues-End -->
<!-- ForcePrivacyScreenDim-GpMapping-Begin --> <!-- ForceOnlookerDetectionAction-GpMapping-Begin -->
**Group policy mapping**: **Group policy mapping**:
| Name | Value | | Name | Value |
|:--|:--| |:--|:--|
| Name | ForcePrivacyScreenDim | | Name | ForceOnlookerDetectionAction |
| Path | Sensors > AT > WindowsComponents > HumanPresence | | Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenDim-GpMapping-End --> <!-- ForceOnlookerDetectionAction-GpMapping-End -->
<!-- ForcePrivacyScreenDim-Examples-Begin --> <!-- ForceOnlookerDetectionAction-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Examples-End --> <!-- ForceOnlookerDetectionAction-Examples-End -->
<!-- ForcePrivacyScreenDim-End --> <!-- ForceOnlookerDetectionAction-End -->
<!-- ForcePrivacyScreenNotification-Begin -->
## ForcePrivacyScreenNotification
<!-- ForcePrivacyScreenNotification-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenNotification-Applicability-End -->
<!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
```
<!-- ForcePrivacyScreenNotification-OmaUri-End -->
<!-- ForcePrivacyScreenNotification-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenNotification-Description-End -->
<!-- ForcePrivacyScreenNotification-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Editable-End -->
<!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenNotification-DFProperties-End -->
<!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenNotification-AllowedValues-End -->
<!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenNotification |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenNotification-GpMapping-End -->
<!-- ForcePrivacyScreenNotification-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Examples-End -->
<!-- ForcePrivacyScreenNotification-End -->
<!-- HumanPresence-CspMoreInfo-Begin --> <!-- HumanPresence-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->

481
windows/client-management/mdm/policy-csp-lanmanworkstation.md
View File

@ -1,7 +1,7 @@
--- ---
title: LanmanWorkstation Policy CSP title: LanmanWorkstation Policy CSP
description: Learn more about the LanmanWorkstation Area in Policy CSP. description: Learn more about the LanmanWorkstation Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -10,10 +10,213 @@ ms.topic: generated-reference
<!-- LanmanWorkstation-Begin --> <!-- LanmanWorkstation-Begin -->
# Policy CSP - LanmanWorkstation # Policy CSP - LanmanWorkstation
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LanmanWorkstation-Editable-Begin --> <!-- LanmanWorkstation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LanmanWorkstation-Editable-End --> <!-- LanmanWorkstation-Editable-End -->
<!-- AuditInsecureGuestLogon-Begin -->
## AuditInsecureGuestLogon
<!-- AuditInsecureGuestLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- AuditInsecureGuestLogon-Applicability-End -->
<!-- AuditInsecureGuestLogon-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditInsecureGuestLogon
```
<!-- AuditInsecureGuestLogon-OmaUri-End -->
<!-- AuditInsecureGuestLogon-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will enable the audit event when the client is logged-on as guest account.
- If you enable this policy setting, the SMB client will log the event when the client is logged-on as guest account.
- If you disable or don't configure this policy setting, the SMB client won't log the event.
<!-- AuditInsecureGuestLogon-Description-End -->
<!-- AuditInsecureGuestLogon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AuditInsecureGuestLogon-Editable-End -->
<!-- AuditInsecureGuestLogon-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AuditInsecureGuestLogon-DFProperties-End -->
<!-- AuditInsecureGuestLogon-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- AuditInsecureGuestLogon-AllowedValues-End -->
<!-- AuditInsecureGuestLogon-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_AuditInsecureGuestLogon |
| Friendly Name | Audit insecure guest logon |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditInsecureGuestLogon |
| ADMX File Name | LanmanWorkstation.admx |
<!-- AuditInsecureGuestLogon-GpMapping-End -->
<!-- AuditInsecureGuestLogon-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AuditInsecureGuestLogon-Examples-End -->
<!-- AuditInsecureGuestLogon-End -->
<!-- AuditServerDoesNotSupportEncryption-Begin -->
## AuditServerDoesNotSupportEncryption
<!-- AuditServerDoesNotSupportEncryption-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- AuditServerDoesNotSupportEncryption-Applicability-End -->
<!-- AuditServerDoesNotSupportEncryption-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportEncryption
```
<!-- AuditServerDoesNotSupportEncryption-OmaUri-End -->
<!-- AuditServerDoesNotSupportEncryption-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support encryption.
- If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support encryption.
- If you disable or don't configure this policy setting, the SMB client won't log the event.
<!-- AuditServerDoesNotSupportEncryption-Description-End -->
<!-- AuditServerDoesNotSupportEncryption-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AuditServerDoesNotSupportEncryption-Editable-End -->
<!-- AuditServerDoesNotSupportEncryption-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AuditServerDoesNotSupportEncryption-DFProperties-End -->
<!-- AuditServerDoesNotSupportEncryption-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- AuditServerDoesNotSupportEncryption-AllowedValues-End -->
<!-- AuditServerDoesNotSupportEncryption-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_AuditServerDoesNotSupportEncryption |
| Friendly Name | Audit server does not support encryption |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditServerDoesNotSupportEncryption |
| ADMX File Name | LanmanWorkstation.admx |
<!-- AuditServerDoesNotSupportEncryption-GpMapping-End -->
<!-- AuditServerDoesNotSupportEncryption-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AuditServerDoesNotSupportEncryption-Examples-End -->
<!-- AuditServerDoesNotSupportEncryption-End -->
<!-- AuditServerDoesNotSupportSigning-Begin -->
## AuditServerDoesNotSupportSigning
<!-- AuditServerDoesNotSupportSigning-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- AuditServerDoesNotSupportSigning-Applicability-End -->
<!-- AuditServerDoesNotSupportSigning-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/AuditServerDoesNotSupportSigning
```
<!-- AuditServerDoesNotSupportSigning-OmaUri-End -->
<!-- AuditServerDoesNotSupportSigning-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will enable the audit event when the SMB server doesn't support signing.
- If you enable this policy setting, the SMB client will log the event when the SMB server doesn't support signing.
- If you disable or don't configure this policy setting, the SMB client won't log the event.
<!-- AuditServerDoesNotSupportSigning-Description-End -->
<!-- AuditServerDoesNotSupportSigning-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AuditServerDoesNotSupportSigning-Editable-End -->
<!-- AuditServerDoesNotSupportSigning-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AuditServerDoesNotSupportSigning-DFProperties-End -->
<!-- AuditServerDoesNotSupportSigning-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- AuditServerDoesNotSupportSigning-AllowedValues-End -->
<!-- AuditServerDoesNotSupportSigning-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_AuditServerDoesNotSupportSigning |
| Friendly Name | Audit server does not support signing |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | AuditServerDoesNotSupportSigning |
| ADMX File Name | LanmanWorkstation.admx |
<!-- AuditServerDoesNotSupportSigning-GpMapping-End -->
<!-- AuditServerDoesNotSupportSigning-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AuditServerDoesNotSupportSigning-Examples-End -->
<!-- AuditServerDoesNotSupportSigning-End -->
<!-- EnableInsecureGuestLogons-Begin --> <!-- EnableInsecureGuestLogons-Begin -->
## EnableInsecureGuestLogons ## EnableInsecureGuestLogons
@ -85,6 +288,282 @@ Insecure guest logons are used by file servers to allow unauthenticated access t
<!-- EnableInsecureGuestLogons-End --> <!-- EnableInsecureGuestLogons-End -->
<!-- EnableMailslots-Begin -->
## EnableMailslots
<!-- EnableMailslots-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- EnableMailslots-Applicability-End -->
<!-- EnableMailslots-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableMailslots
```
<!-- EnableMailslots-OmaUri-End -->
<!-- EnableMailslots-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will enable or disable remote mailslots over MUP.
- If you disable this policy setting, remote mailslots won't function over MUP, hence they won't go through the SMB client redirector.
- If you don't configure this policy setting, remote mailslots may be allowed through MUP.
<!-- EnableMailslots-Description-End -->
<!-- EnableMailslots-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableMailslots-Editable-End -->
<!-- EnableMailslots-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnableMailslots-DFProperties-End -->
<!-- EnableMailslots-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- EnableMailslots-AllowedValues-End -->
<!-- EnableMailslots-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_EnableMailslots |
| Friendly Name | Enable remote mailslots |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkProvider |
| Registry Value Name | EnableMailslots |
| ADMX File Name | LanmanWorkstation.admx |
<!-- EnableMailslots-GpMapping-End -->
<!-- EnableMailslots-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableMailslots-Examples-End -->
<!-- EnableMailslots-End -->
<!-- MaxSmb2Dialect-Begin -->
## MaxSmb2Dialect
<!-- MaxSmb2Dialect-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- MaxSmb2Dialect-Applicability-End -->
<!-- MaxSmb2Dialect-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MaxSmb2Dialect
```
<!-- MaxSmb2Dialect-OmaUri-End -->
<!-- MaxSmb2Dialect-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the maximum version of SMB protocol.
> [!NOTE]
> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
<!-- MaxSmb2Dialect-Description-End -->
<!-- MaxSmb2Dialect-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MaxSmb2Dialect-Editable-End -->
<!-- MaxSmb2Dialect-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 785 |
<!-- MaxSmb2Dialect-DFProperties-End -->
<!-- MaxSmb2Dialect-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 514 | SMB 2.0.2. |
| 528 | SMB 2.1.0. |
| 768 | SMB 3.0.0. |
| 770 | SMB 3.0.2. |
| 785 (Default) | SMB 3.1.1. |
<!-- MaxSmb2Dialect-AllowedValues-End -->
<!-- MaxSmb2Dialect-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_MaxSmb2Dialect |
| Friendly Name | Mandate the maximum version of SMB |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| ADMX File Name | LanmanWorkstation.admx |
<!-- MaxSmb2Dialect-GpMapping-End -->
<!-- MaxSmb2Dialect-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MaxSmb2Dialect-Examples-End -->
<!-- MaxSmb2Dialect-End -->
<!-- MinSmb2Dialect-Begin -->
## MinSmb2Dialect
<!-- MinSmb2Dialect-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- MinSmb2Dialect-Applicability-End -->
<!-- MinSmb2Dialect-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/MinSmb2Dialect
```
<!-- MinSmb2Dialect-OmaUri-End -->
<!-- MinSmb2Dialect-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls the minimum version of SMB protocol.
> [!NOTE]
> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled.
<!-- MinSmb2Dialect-Description-End -->
<!-- MinSmb2Dialect-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinSmb2Dialect-Editable-End -->
<!-- MinSmb2Dialect-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 514 |
<!-- MinSmb2Dialect-DFProperties-End -->
<!-- MinSmb2Dialect-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 514 (Default) | SMB 2.0.2. |
| 528 | SMB 2.1.0. |
| 768 | SMB 3.0.0. |
| 770 | SMB 3.0.2. |
| 785 | SMB 3.1.1. |
<!-- MinSmb2Dialect-AllowedValues-End -->
<!-- MinSmb2Dialect-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_MinSmb2Dialect |
| Friendly Name | Mandate the minimum version of SMB |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| ADMX File Name | LanmanWorkstation.admx |
<!-- MinSmb2Dialect-GpMapping-End -->
<!-- MinSmb2Dialect-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinSmb2Dialect-Examples-End -->
<!-- MinSmb2Dialect-End -->
<!-- RequireEncryption-Begin -->
## RequireEncryption
<!-- RequireEncryption-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later <br> ✅ Windows Insider Preview |
<!-- RequireEncryption-Applicability-End -->
<!-- RequireEncryption-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/RequireEncryption
```
<!-- RequireEncryption-OmaUri-End -->
<!-- RequireEncryption-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the SMB client will require encryption.
- If you enable this policy setting, the SMB client will require the SMB server to support encryption and encrypt the data.
- If you disable or don't configure this policy setting, the SMB client won't require encryption. However, SMB encryption may still be required; see notes below.
> [!NOTE]
> This policy is combined with per-share, per-server, and per mapped drive connection properties, through which SMB encryption may be required. The SMB server must support and enable SMB encryption. For example, should this policy be disabled (or not configured), the SMB client may still perform encryption if an SMB server share has required encryption.
> [!IMPORTANT]
> SMB encryption requires SMB 3.0 or later.
<!-- RequireEncryption-Description-End -->
<!-- RequireEncryption-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequireEncryption-Editable-End -->
<!-- RequireEncryption-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RequireEncryption-DFProperties-End -->
<!-- RequireEncryption-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- RequireEncryption-AllowedValues-End -->
<!-- RequireEncryption-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_RequireEncryption |
| Friendly Name | Require Encryption |
| Location | Computer Configuration |
| Path | Network > Lanman Workstation |
| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation |
| Registry Value Name | RequireEncryption |
| ADMX File Name | LanmanWorkstation.admx |
<!-- RequireEncryption-GpMapping-End -->
<!-- RequireEncryption-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequireEncryption-Examples-End -->
<!-- RequireEncryption-End -->
<!-- LanmanWorkstation-CspMoreInfo-Begin --> <!-- LanmanWorkstation-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- LanmanWorkstation-CspMoreInfo-End --> <!-- LanmanWorkstation-CspMoreInfo-End -->

64
windows/client-management/mdm/policy-csp-power.md
View File

@ -1,7 +1,7 @@
--- ---
title: Power Policy CSP title: Power Policy CSP
description: Learn more about the Power Area in Policy CSP. description: Learn more about the Power Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -12,6 +12,8 @@ ms.topic: generated-reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Power-Editable-Begin --> <!-- Power-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Power-Editable-End --> <!-- Power-Editable-End -->
@ -307,6 +309,64 @@ If the user has configured a slide show to run on the lock screen when the machi
<!-- DisplayOffTimeoutPluggedIn-End --> <!-- DisplayOffTimeoutPluggedIn-End -->
<!-- EnableEnergySaver-Begin -->
## EnableEnergySaver
<!-- EnableEnergySaver-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- EnableEnergySaver-Applicability-End -->
<!-- EnableEnergySaver-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver
```
<!-- EnableEnergySaver-OmaUri-End -->
<!-- EnableEnergySaver-Description-Begin -->
<!-- Description-Source-DDF -->
This policy will extend battery life and reduce energy consumption by enabling Energy Saver to always be on. Energy Saver will always be on for desktops as well as laptops regardless of battery level for both AC and DC. If you disable or don't configure this policy setting, then Energy Saver will turn on based on the EnergySaverBatteryThreshold group policy.
<!-- EnableEnergySaver-Description-End -->
<!-- EnableEnergySaver-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableEnergySaver-Editable-End -->
<!-- EnableEnergySaver-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableEnergySaver-DFProperties-End -->
<!-- EnableEnergySaver-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable energy saver policy. |
| 1 (Default) | Enable energy saver always-on mode. |
<!-- EnableEnergySaver-AllowedValues-End -->
<!-- EnableEnergySaver-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | EnableEnergySaver |
| Path | Power > AT > System > PowerManagementCat > EnergySaverSettingsCat |
<!-- EnableEnergySaver-GpMapping-End -->
<!-- EnableEnergySaver-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableEnergySaver-Examples-End -->
<!-- EnableEnergySaver-End -->
<!-- EnergySaverBatteryThresholdOnBattery-Begin --> <!-- EnergySaverBatteryThresholdOnBattery-Begin -->
## EnergySaverBatteryThresholdOnBattery ## EnergySaverBatteryThresholdOnBattery
@ -344,6 +404,7 @@ This policy setting allows you to specify battery charge level at which Energy S
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-100]` | | Allowed Values | Range: `[0-100]` |
| Default Value | 0 | | Default Value | 0 |
| Dependency [Power_EnergySaverBatteryThresholdOnBattery_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- EnergySaverBatteryThresholdOnBattery-DFProperties-End --> <!-- EnergySaverBatteryThresholdOnBattery-DFProperties-End -->
<!-- EnergySaverBatteryThresholdOnBattery-GpMapping-Begin --> <!-- EnergySaverBatteryThresholdOnBattery-GpMapping-Begin -->
@ -403,6 +464,7 @@ This policy setting allows you to specify battery charge level at which Energy S
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-100]` | | Allowed Values | Range: `[0-100]` |
| Default Value | 0 | | Default Value | 0 |
| Dependency [Power_EnergySaverBatteryThresholdPluggedIn_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `./Device/Vendor/MSFT/Policy/Config/Power/EnableEnergySaver` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- EnergySaverBatteryThresholdPluggedIn-DFProperties-End --> <!-- EnergySaverBatteryThresholdPluggedIn-DFProperties-End -->
<!-- EnergySaverBatteryThresholdPluggedIn-GpMapping-Begin --> <!-- EnergySaverBatteryThresholdPluggedIn-GpMapping-Begin -->

57
windows/client-management/mdm/policy-csp-system.md
View File

@ -1,7 +1,7 @@
--- ---
title: System Policy CSP title: System Policy CSP
description: Learn more about the System Area in Policy CSP. description: Learn more about the System Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -12,6 +12,8 @@ ms.topic: generated-reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- System-Editable-Begin --> <!-- System-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- System-Editable-End --> <!-- System-Editable-End -->
@ -1195,6 +1197,59 @@ If you don't configure this policy setting, or you set it to "Enable diagnostic
<!-- ConfigureTelemetryOptInSettingsUx-End --> <!-- ConfigureTelemetryOptInSettingsUx-End -->
<!-- DisableCHPE-Begin -->
## DisableCHPE
<!-- DisableCHPE-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableCHPE-Applicability-End -->
<!-- DisableCHPE-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/System/DisableCHPE
```
<!-- DisableCHPE-OmaUri-End -->
<!-- DisableCHPE-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls whether loading CHPE binaries is disabled on the ARM64 device. This policy has no effect on x64 devices.
- If you enable this policy setting, ARM64 devices won't load CHPE binaries. This setting is required for hotpatching on ARM64 devices.
- If you disable or don't configure this policy setting, ARM64 devices will load CHPE binaries.
<!-- DisableCHPE-Description-End -->
<!-- DisableCHPE-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableCHPE-Editable-End -->
<!-- DisableCHPE-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableCHPE-DFProperties-End -->
<!-- DisableCHPE-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | CHPE Binaries Enabled (Default). |
| 1 | CHPE Binaries Disabled. |
<!-- DisableCHPE-AllowedValues-End -->
<!-- DisableCHPE-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableCHPE-Examples-End -->
<!-- DisableCHPE-End -->
<!-- DisableDeviceDelete-Begin --> <!-- DisableDeviceDelete-Begin -->
## DisableDeviceDelete ## DisableDeviceDelete

4
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
--- ---
title: Update Policy CSP title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP. description: Learn more about the Update Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -2054,7 +2054,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | | 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. |
| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. | | 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. After the update is installed, if the user hasn't scheduled a restart, the device will attempt to restart automatically. The user will be notified about the scheduled restart and can reschedule it if the proposed time is inconvenient. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. |
| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. | | 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. |
| 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. | | 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. |
| 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. | | 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. |

83
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
--- ---
title: WindowsAI Policy CSP title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP. description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 03/12/2025 ms.date: 03/27/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -22,7 +22,7 @@ ms.topic: generated-reference
<!-- AllowRecallEnablement-Applicability-Begin --> <!-- AllowRecallEnablement-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 with [KB5052093](https://support.microsoft.com/help/5052093) [10.0.26100.3323] and later <br> ✅ Windows Insider Preview |
<!-- AllowRecallEnablement-Applicability-End --> <!-- AllowRecallEnablement-Applicability-End -->
<!-- AllowRecallEnablement-OmaUri-Begin --> <!-- AllowRecallEnablement-OmaUri-Begin -->
@ -91,7 +91,7 @@ This policy setting allows you to determine whether the Recall optional componen
<!-- DisableAIDataAnalysis-Applicability-Begin --> <!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later | | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 with [KB5052093](https://support.microsoft.com/help/5052093) [10.0.26100.3323] and later <br> ✅ Windows Insider Preview |
<!-- DisableAIDataAnalysis-Applicability-End --> <!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin --> <!-- DisableAIDataAnalysis-OmaUri-Begin -->
@ -158,13 +158,75 @@ If you set this policy to disabled, end users will have a choice to save snapsho
<!-- DisableAIDataAnalysis-End --> <!-- DisableAIDataAnalysis-End -->
<!-- DisableClickToDo-Begin -->
## DisableClickToDo
<!-- DisableClickToDo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableClickToDo-Applicability-End -->
<!-- DisableClickToDo-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableClickToDo
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableClickToDo
```
<!-- DisableClickToDo-OmaUri-End -->
<!-- DisableClickToDo-Description-Begin -->
<!-- Description-Source-DDF -->
Click to Do lets people take action on content on their screens. When activated, it takes a screenshot of their screen and analyzes it to present actions. Click to Do ends when they exit it, and it can't take screenshots while closed. Screenshot analysis is always performed locally on their device. By default, Click to Do is enabled for users. This policy setting allows you to determine whether Click to Do is available for users on their device. When the policy is enabled, the Click to Do component and entry points won't be available to users. When the policy is disabled, users will have Click to Do available on their device.
<!-- DisableClickToDo-Description-End -->
<!-- DisableClickToDo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableClickToDo-Editable-End -->
<!-- DisableClickToDo-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- DisableClickToDo-DFProperties-End -->
<!-- DisableClickToDo-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Click to Do is enabled. |
| 1 (Default) | Click to Do is disabled. |
<!-- DisableClickToDo-AllowedValues-End -->
<!-- DisableClickToDo-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableClickToDo |
| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
<!-- DisableClickToDo-GpMapping-End -->
<!-- DisableClickToDo-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableClickToDo-Examples-End -->
<!-- DisableClickToDo-End -->
<!-- DisableCocreator-Begin --> <!-- DisableCocreator-Begin -->
## DisableCocreator ## DisableCocreator
<!-- DisableCocreator-Applicability-Begin --> <!-- DisableCocreator-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableCocreator-Applicability-End --> <!-- DisableCocreator-Applicability-End -->
<!-- DisableCocreator-OmaUri-Begin --> <!-- DisableCocreator-OmaUri-Begin -->
@ -226,7 +288,7 @@ This policy setting allows you to control whether Cocreator functionality is dis
<!-- DisableGenerativeFill-Applicability-Begin --> <!-- DisableGenerativeFill-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableGenerativeFill-Applicability-End --> <!-- DisableGenerativeFill-Applicability-End -->
<!-- DisableGenerativeFill-OmaUri-Begin --> <!-- DisableGenerativeFill-OmaUri-Begin -->
@ -288,7 +350,7 @@ This policy setting allows you to control whether generative fill functionality
<!-- DisableImageCreator-Applicability-Begin --> <!-- DisableImageCreator-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableImageCreator-Applicability-End --> <!-- DisableImageCreator-Applicability-End -->
<!-- DisableImageCreator-OmaUri-Begin --> <!-- DisableImageCreator-OmaUri-Begin -->
@ -370,6 +432,7 @@ This policy setting determines which app opens when the user presses the Copilot
<!-- SetCopilotHardwareKey-Editable-Begin --> <!-- SetCopilotHardwareKey-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The property value is the Application User Model ID (AUMID) for the target application. For example: the Microsoft 365 Copilot app is `Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft.MicrosoftOfficeHub`. For more information, see [Find the application user model ID of an installed app](/windows/configuration/store/find-aumid?tabs=ps%2Cexplorer&pivots=windows-11).
<!-- SetCopilotHardwareKey-Editable-End --> <!-- SetCopilotHardwareKey-Editable-End -->
<!-- SetCopilotHardwareKey-DFProperties-Begin --> <!-- SetCopilotHardwareKey-DFProperties-Begin -->
@ -406,7 +469,7 @@ This policy setting determines which app opens when the user presses the Copilot
<!-- SetDenyAppListForRecall-Applicability-Begin --> <!-- SetDenyAppListForRecall-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 with [KB5052093](https://support.microsoft.com/help/5052093) [10.0.26100.3323] and later <br> ✅ Windows Insider Preview |
<!-- SetDenyAppListForRecall-Applicability-End --> <!-- SetDenyAppListForRecall-Applicability-End -->
<!-- SetDenyAppListForRecall-OmaUri-Begin --> <!-- SetDenyAppListForRecall-OmaUri-Begin -->
@ -475,7 +538,7 @@ For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
<!-- SetDenyUriListForRecall-Applicability-Begin --> <!-- SetDenyUriListForRecall-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 with [KB5052093](https://support.microsoft.com/help/5052093) [10.0.26100.3323] and later <br> ✅ Windows Insider Preview |
<!-- SetDenyUriListForRecall-Applicability-End --> <!-- SetDenyUriListForRecall-Applicability-End -->
<!-- SetDenyUriListForRecall-OmaUri-Begin --> <!-- SetDenyUriListForRecall-OmaUri-Begin -->
@ -540,7 +603,7 @@ Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Ac
<!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-Begin --> <!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 with [KB5052093](https://support.microsoft.com/help/5052093) [10.0.26100.3323] and later <br> ✅ Windows Insider Preview |
<!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-End --> <!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-Begin --> <!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-Begin -->
@ -616,7 +679,7 @@ Snapshots aren't deleted until the maximum storage allocation for Recall is reac
<!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-Begin --> <!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 with [KB5052093](https://support.microsoft.com/help/5052093) [10.0.26100.3323] and later <br> ✅ Windows Insider Preview |
<!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-End --> <!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-Begin --> <!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-Begin -->

8
windows/client-management/mdm/reboot-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: Reboot DDF file title: Reboot DDF file
description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider. description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider.
ms.date: 02/13/2025 ms.date: 04/04/2025
ms.topic: generated-reference ms.topic: generated-reference
--- ---
@ -96,7 +96,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description> <Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. Both the date and time are required. A reboot will be scheduled to occur at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -123,7 +123,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description> <Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every day at the configured time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -150,7 +150,7 @@ The following XML file contains the device description framework (DDF) for the R
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description> <Description>Value in ISO8601 date and time format (such as 2025-10-07T10:35:00) is required. While it is supported to set either DailyRecurrent or WeeklyRecurrent schedules, it is not supported to enable both settings simultaneously. A reboot will be scheduled to occur every week at the configured day and time starting at the specified date and time. Setting a null (empty) date will delete the existing schedule.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>

551
windows/client-management/mdm/remoteremediation-csp.md Normal file
View File

@ -0,0 +1,551 @@
---
title: RemoteRemediation CSP
description: Learn more about the RemoteRemediation CSP.
ms.date: 03/26/2025
ms.topic: generated-reference
---
<!-- Auto-Generated CSP Document -->
<!-- RemoteRemediation-Begin -->
# RemoteRemediation CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- RemoteRemediation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RemoteRemediation-Editable-End -->
<!-- RemoteRemediation-Tree-Begin -->
The following list shows the RemoteRemediation configuration service provider nodes:
- ./Vendor/MSFT/RemoteRemediation
- [CloudRemediationSettings](#cloudremediationsettings)
- [AutoRemediationSettings](#cloudremediationsettingsautoremediationsettings)
- [EnableAutoRemediation](#cloudremediationsettingsautoremediationsettingsenableautoremediation)
- [SetRetryInterval](#cloudremediationsettingsautoremediationsettingssetretryinterval)
- [SetTimeToReboot](#cloudremediationsettingsautoremediationsettingssettimetoreboot)
- [EnableCloudRemediation](#cloudremediationsettingsenablecloudremediation)
- [NetworkSettings](#cloudremediationsettingsnetworksettings)
- [NetworkCredentials](#cloudremediationsettingsnetworksettingsnetworkcredentials)
- [NetworkPassword](#cloudremediationsettingsnetworksettingsnetworkcredentialsnetworkpassword)
- [NetworkPasswordEncryptionStore](#cloudremediationsettingsnetworksettingsnetworkcredentialsnetworkpasswordencryptionstore)
- [NetworkPasswordEncryptionType](#cloudremediationsettingsnetworksettingsnetworkcredentialsnetworkpasswordencryptiontype)
- [NetworkSSID](#cloudremediationsettingsnetworksettingsnetworkcredentialsnetworkssid)
<!-- RemoteRemediation-Tree-End -->
<!-- Device-CloudRemediationSettings-Begin -->
## CloudRemediationSettings
<!-- Device-CloudRemediationSettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-Applicability-End -->
<!-- Device-CloudRemediationSettings-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings
```
<!-- Device-CloudRemediationSettings-OmaUri-End -->
<!-- Device-CloudRemediationSettings-Description-Begin -->
<!-- Description-Source-DDF -->
Interior node containing settings related to cloud remediation. Delete on this node will reset all cloud remediation settings to their default values.
<!-- Device-CloudRemediationSettings-Description-End -->
<!-- Device-CloudRemediationSettings-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-Editable-End -->
<!-- Device-CloudRemediationSettings-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Add, Delete, Get, Replace |
| Atomic Required | True |
<!-- Device-CloudRemediationSettings-DFProperties-End -->
<!-- Device-CloudRemediationSettings-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-Examples-End -->
<!-- Device-CloudRemediationSettings-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Begin -->
### CloudRemediationSettings/AutoRemediationSettings
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Applicability-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings
```
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-OmaUri-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Description-Begin -->
<!-- Description-Source-DDF -->
Interior node containing settings related to auto remediation. Delete on this node will reset all auto remediation settings to their default values.
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Description-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Editable-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-DFProperties-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-Examples-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Begin -->
#### CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Applicability-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation
```
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-OmaUri-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Description-Begin -->
<!-- Description-Source-DDF -->
Enable or disable auto remediation.
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Description-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Editable-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnableCloudRemediation] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/EnableCloudRemediation` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-DFProperties-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| true | Auto remediation enabled. |
| false | Auto remediation disabled. |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-AllowedValues-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-Examples-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-EnableAutoRemediation-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Begin -->
#### CloudRemediationSettings/AutoRemediationSettings/SetRetryInterval
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Applicability-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/SetRetryInterval
```
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-OmaUri-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Description-Begin -->
<!-- Description-Source-DDF -->
Get/set the retry interval (in minutes) during auto cloud remediation. The retry interval shouldn't be higher than the time to reboot. "SetRetryInterval" is dependent on "EnableAutoRemediation" and only takes effect if "EnableAutoRemediation" is set to true. Otherwise, an invalid argument error will be returned and no changes will be made.
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Description-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Editable-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1,4320]` |
| Dependency [EnableAutoRemediation] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-DFProperties-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-Examples-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetRetryInterval-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Begin -->
#### CloudRemediationSettings/AutoRemediationSettings/SetTimeToReboot
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Applicability-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/SetTimeToReboot
```
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-OmaUri-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Description-Begin -->
<!-- Description-Source-DDF -->
Get/set the time to reboot (in minutes) during auto cloud remediation. The maximum time to reboot possible is 72 hours. "SetTimeToReboot" is dependent on "EnableAutoRemediation" and only takes effect if "EnableAutoRemediation" is set to true. Otherwise an invalid argument error will be returned and no changes will be made.
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Description-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Editable-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-4320]` |
| Dependency [EnableAutoRemediation] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-DFProperties-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-Examples-End -->
<!-- Device-CloudRemediationSettings-AutoRemediationSettings-SetTimeToReboot-End -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Begin -->
### CloudRemediationSettings/EnableCloudRemediation
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Applicability-End -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/EnableCloudRemediation
```
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-OmaUri-End -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Description-Begin -->
<!-- Description-Source-DDF -->
Enable or disable cloud remediation.
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Description-End -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Editable-End -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-DFProperties-End -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| true | Cloud remediation enabled. |
| false | Cloud remediation disabled. |
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-AllowedValues-End -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-Examples-End -->
<!-- Device-CloudRemediationSettings-EnableCloudRemediation-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-Begin -->
### CloudRemediationSettings/NetworkSettings
<!-- Device-CloudRemediationSettings-NetworkSettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-NetworkSettings-Applicability-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings
```
<!-- Device-CloudRemediationSettings-NetworkSettings-OmaUri-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-Description-Begin -->
<!-- Description-Source-DDF -->
Interior node containing settings related to network.
<!-- Device-CloudRemediationSettings-NetworkSettings-Description-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-Editable-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-CloudRemediationSettings-NetworkSettings-DFProperties-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-Examples-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Begin -->
#### CloudRemediationSettings/NetworkSettings/NetworkCredentials
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Applicability-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials
```
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-OmaUri-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Description-Begin -->
<!-- Description-Source-DDF -->
Interior node containing settings related to network credentials.
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Description-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Editable-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-DFProperties-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-Examples-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Begin -->
##### CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPassword
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Applicability-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPassword
```
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-OmaUri-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Description-Begin -->
<!-- Description-Source-DDF -->
Get/Set the password for the wifi network that cloud remediation will attempt to connect during cloud remediation.
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Description-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Editable-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnableCloudRemediation] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-DFProperties-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-Examples-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPassword-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Begin -->
##### CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionStore
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Applicability-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionStore
```
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-OmaUri-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Description-Begin -->
<!-- Description-Source-DDF -->
The encryption store that's specified if we are using a custom certificate for password encryption.
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Description-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Editable-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnableCloudRemediation] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/RemoteRemediation/CloudRemediationSettings//AutoRemediationSettings/EnableAutoRemediation` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-DFProperties-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-Examples-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionStore-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Begin -->
##### CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionType
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Applicability-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionType
```
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-OmaUri-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Description-Begin -->
<!-- Description-Source-DDF -->
The type of encryption that might be used for the network password.
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Description-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Editable-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnableCloudRemediation] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/RemoteRemediation/CloudRemediationSettings//AutoRemediationSettings/EnableAutoRemediation` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-DFProperties-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | No encryption. |
| 2 | Encrypt using Mdm certificate. |
| 3 | Encrypt with custom certificate. |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-AllowedValues-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-Examples-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkPasswordEncryptionType-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Begin -->
##### CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkSSID
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Applicability-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-OmaUri-Begin -->
```Device
./Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkSSID
```
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-OmaUri-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Description-Begin -->
<!-- Description-Source-DDF -->
Get/Set the network SSID that cloud remediation will attempt to connect to during remediation.
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Description-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Editable-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnableCloudRemediation] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-DFProperties-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-Examples-End -->
<!-- Device-CloudRemediationSettings-NetworkSettings-NetworkCredentials-NetworkSSID-End -->
<!-- RemoteRemediation-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- RemoteRemediation-CspMoreInfo-End -->
<!-- RemoteRemediation-End -->
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

479
windows/client-management/mdm/remoteremediation-ddf-file.md Normal file
View File

@ -0,0 +1,479 @@
---
title: RemoteRemediation DDF file
description: View the XML file containing the device description framework (DDF) for the RemoteRemediation configuration service provider.
ms.date: 03/26/2025
ms.topic: generated-reference
---
<!-- Auto-Generated CSP Document -->
# RemoteRemediation DDF file
The following XML file contains the device description framework (DDF) for the RemoteRemediation configuration service provider.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<MSFT:Diagnostics>
</MSFT:Diagnostics>
<Node>
<NodeName>RemoteRemediation</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The root node for remote remediation function.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>CloudRemediationSettings</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Interior node containing settings related to cloud remediation. Delete on this node will reset all cloud remediation settings to their default values.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
<MSFT:AtomicRequired />
</DFProperties>
<Node>
<NodeName>EnableCloudRemediation</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable or disable cloud remediation.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Cloud remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Cloud remediation disabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AutoRemediationSettings</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Interior node containing settings related to auto remediation. Delete on this node will reset all auto remediation settings to their default values.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnableAutoRemediation</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable or disable auto remediation.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Auto remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Auto remediation disabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnableCloudRemediation">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/EnableCloudRemediation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Cloud remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>SetTimeToReboot</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Get/set the time to reboot (in minutes) during auto cloud remediation. The maximum time to reboot possible is 72 hours. "SetTimeToReboot" is dependent on "EnableAutoRemediation" and only takes effect if "EnableAutoRemediation" is set to true. Otherwise an invalid argument error will be returned and no changes will be made.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[1-4320]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnableAutoRemediation">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Auto remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>SetRetryInterval</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Get/set the retry interval (in minutes) during auto cloud remediation. The retry interval should not be higher than the time to reboot. "SetRetryInterval" is dependent on "EnableAutoRemediation" and only takes effect if "EnableAutoRemediation" is set to true. Otherwise, an invalid argument error will be returned and no changes will be made.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[1,4320]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnableAutoRemediation">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Auto remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>NetworkSettings</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Interior node containing settings related to network.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>NetworkCredentials</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Interior node containing settings related to network credentials.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>NetworkSSID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Get/Set the network SSID that cloud remediation will attempt to connect to during remediation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnableCloudRemediation">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Cloud remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>NetworkPassword</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Get/Set the password for the wifi network that cloud remediation will attempt to connect during cloud remediation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnableCloudRemediation">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Cloud remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>NetworkPasswordEncryptionType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The type of encryption that might be used for the network password.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>No encryption</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Encrypt using Mdm certificate</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>3</MSFT:Value>
<MSFT:ValueDescription>Encrypt with custom certificate</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnableCloudRemediation">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/RemoteRemediation/CloudRemediationSettings//AutoRemediationSettings/EnableAutoRemediation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Cloud remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>NetworkPasswordEncryptionStore</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The encryption store that is specified if we are using a custom certificate for password encryption.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnableCloudRemediation">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/RemoteRemediation/CloudRemediationSettings//AutoRemediationSettings/EnableAutoRemediation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Cloud remediation enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related articles
[RemoteRemediation configuration service provider reference](remoteremediation-csp.md)

5
windows/client-management/mdm/toc.yml
View File

@ -866,6 +866,11 @@ items:
items: items:
- name: RemoteFind DDF file - name: RemoteFind DDF file
href: remotefind-ddf-file.md href: remotefind-ddf-file.md
- name: RemoteRemediation
href: remoteremediation-csp.md
items:
- name: RemoteRemediation DDF file
href: remoteremediation-ddf-file.md
- name: RemoteWipe - name: RemoteWipe
href: remotewipe-csp.md href: remotewipe-csp.md
items: items:

2
windows/client-management/toc.yml
View File

@ -50,6 +50,8 @@ items:
href: device-update-management.md href: device-update-management.md
- name: Updated Windows and Microsoft 365 Copilot Chat experience - name: Updated Windows and Microsoft 365 Copilot Chat experience
href: manage-windows-copilot.md href: manage-windows-copilot.md
- name: Manage Click to Do
href: manage-click-to-do.md
- name: Manage Recall - name: Manage Recall
href: manage-recall.md href: manage-recall.md
- name: Reference for sensitive information filtering in Recall - name: Reference for sensitive information filtering in Recall

10
windows/configuration/images/icons/csp.svg Normal file
View File

@ -0,0 +1,10 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_461_479)">
<path d="M9.01098 0.225006C9.67158 0.23262 10.3296 0.30894 10.9743 0.452742C11.2558 0.515517 11.4663 0.750165 11.4982 1.03677L11.6514 2.41094C11.7208 3.04188 12.2535 3.51976 12.8885 3.52043C13.0593 3.5207 13.2281 3.48515 13.3859 3.41535L14.6464 2.86161C14.9086 2.74644 15.215 2.80923 15.4106 3.01826C16.3216 3.99118 17 5.15804 17.3949 6.43103C17.4801 6.70553 17.3821 7.00383 17.1508 7.17436L16.0334 7.99795C15.7146 8.23213 15.5264 8.60401 15.5264 8.99956C15.5264 9.39502 15.7146 9.7669 16.0341 10.0016L17.1524 10.8255C17.3838 10.9959 17.4819 11.2943 17.3967 11.5689C17.002 12.8417 16.3239 14.0084 15.4135 14.9815C15.218 15.1905 14.9119 15.2535 14.6498 15.1385L13.3841 14.5841C13.0219 14.4256 12.6061 14.4488 12.2639 14.6466C11.9217 14.8443 11.694 15.1931 11.6505 15.5859L11.4983 16.96C11.4669 17.2433 11.261 17.4764 10.9836 17.5424C9.68004 17.8525 8.32185 17.8525 7.01823 17.5424C6.74092 17.4764 6.53495 17.2433 6.50356 16.96L6.35162 15.588C6.30699 15.1959 6.07891 14.8482 5.73698 14.6511C5.39506 14.454 4.97988 14.4309 4.61898 14.5885L3.35301 15.143C3.0908 15.258 2.78463 15.195 2.5891 14.9858C1.67816 14.0117 1.00007 12.8435 0.605881 11.5693C0.520975 11.2949 0.619075 10.9967 0.850366 10.8264L1.96936 10.002C2.28809 9.7678 2.47632 9.39592 2.47632 9.00046C2.47632 8.60491 2.28809 8.23303 1.96894 7.99858L0.850645 7.17557C0.619021 7.00511 0.520831 6.70661 0.606034 6.43193C1.00091 5.15894 1.67935 3.99208 2.59032 3.01916C2.78603 2.81013 3.09235 2.74734 3.35452 2.86251L4.61486 3.41615C4.97751 3.57531 5.39442 3.55127 5.73819 3.35043C6.08048 3.15189 6.30836 2.8028 6.35235 2.40988L6.50542 1.03677C6.53739 0.750021 6.74807 0.515292 7.02972 0.452652C7.67529 0.309084 8.334 0.232791 9.01098 0.225006ZM8.99973 6.29996C7.50852 6.29996 6.29973 7.5088 6.29973 9.00001C6.29973 10.4911 7.50852 11.7 8.99973 11.7C10.4909 11.7 11.6997 10.4911 11.6997 9.00001C11.6997 7.5088 10.4909 6.29996 8.99973 6.29996Z" fill="#0883D9"/>
</g>
<defs>
<clipPath id="clip0_461_479">
<rect width="18" height="18" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.1 KiB

3
windows/configuration/images/icons/feedback.svg Normal file
View File

@ -0,0 +1,3 @@
<svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M15.75 10.3496C15.4857 10.2585 15.2441 10.1309 15.0254 9.9668C14.8158 9.80273 14.6335 9.61133 14.4785 9.39258C14.3236 9.17383 14.2051 8.93685 14.123 8.68164C14.041 8.42643 14 8.15755 14 7.875V2.625C14 2.26953 14.0684 1.93229 14.2051 1.61328C14.3418 1.29427 14.5286 1.01628 14.7656 0.779297C15.0117 0.533203 15.2943 0.341797 15.6133 0.205078C15.9323 0.0683594 16.2695 0 16.625 0H25.375C25.7305 0 26.0677 0.0683594 26.3867 0.205078C26.7057 0.341797 26.9837 0.533203 27.2207 0.779297C27.4668 1.01628 27.6582 1.29427 27.7949 1.61328C27.9316 1.93229 28 2.26953 28 2.625V7.875C28 8.23047 27.9316 8.56771 27.7949 8.88672C27.6582 9.20573 27.4668 9.48828 27.2207 9.73438C26.9837 9.97135 26.7057 10.1582 26.3867 10.2949C26.0677 10.4316 25.7305 10.5 25.375 10.5H20.4805L17.9922 13.002C17.737 13.2572 17.4271 13.3848 17.0625 13.3848C16.8984 13.3848 16.7298 13.3483 16.5566 13.2754C16.3014 13.1751 16.1009 13.0156 15.9551 12.7969C15.8184 12.5781 15.75 12.3366 15.75 12.0723V10.3496ZM17.5 11.0059L19.7559 8.75H25.375C25.612 8.75 25.8171 8.66341 25.9902 8.49023C26.1634 8.31706 26.25 8.11198 26.25 7.875V2.625C26.25 2.38802 26.1634 2.18294 25.9902 2.00977C25.8171 1.83659 25.612 1.75 25.375 1.75H16.625C16.388 1.75 16.1829 1.83659 16.0098 2.00977C15.8366 2.18294 15.75 2.38802 15.75 2.625V7.875C15.75 8.07552 15.7865 8.23503 15.8594 8.35352C15.9414 8.47201 16.0417 8.56315 16.1602 8.62695C16.2878 8.68164 16.4245 8.7181 16.5703 8.73633C16.7253 8.75456 16.8802 8.76367 17.0352 8.76367C17.1172 8.76367 17.1947 8.76367 17.2676 8.76367C17.3496 8.75456 17.4271 8.75 17.5 8.75V11.0059ZM3.5 10.5V10.3906C3.5 9.67969 3.64128 9.01432 3.92383 8.39453C4.20638 7.76562 4.58919 7.21875 5.07227 6.75391C5.55534 6.28906 6.11133 5.92448 6.74023 5.66016C7.37826 5.38672 8.04818 5.25 8.75 5.25C9.47917 5.25 10.1628 5.38672 10.8008 5.66016C11.4388 5.93359 11.9948 6.30729 12.4688 6.78125C12.9427 7.25521 13.3164 7.8112 13.5898 8.44922C13.8633 9.08724 14 9.77083 14 10.5C14 11.2292 13.8633 11.9128 13.5898 12.5508C13.3164 13.1888 12.9427 13.7448 12.4688 14.2188C11.9948 14.6927 11.4388 15.0664 10.8008 15.3398C10.1628 15.6133 9.47917 15.75 8.75 15.75C8.02083 15.75 7.33724 15.6133 6.69922 15.3398C6.0612 15.0664 5.50521 14.6927 5.03125 14.2188C4.55729 13.7448 4.18359 13.1888 3.91016 12.5508C3.63672 11.9128 3.5 11.2292 3.5 10.5ZM12.25 10.5V10.4316C12.25 9.95768 12.1543 9.51562 11.9629 9.10547C11.7715 8.6862 11.5163 8.32161 11.1973 8.01172C10.8783 7.70182 10.5046 7.45573 10.0762 7.27344C9.6569 7.09115 9.21484 7 8.75 7C8.26693 7 7.8112 7.0957 7.38281 7.28711C6.96354 7.4694 6.5944 7.72005 6.27539 8.03906C5.96549 8.34896 5.71484 8.7181 5.52344 9.14648C5.34115 9.57487 5.25 10.026 5.25 10.5C5.25 10.9831 5.34115 11.4388 5.52344 11.8672C5.71484 12.2865 5.96549 12.6556 6.27539 12.9746C6.5944 13.2845 6.96354 13.5352 7.38281 13.7266C7.8112 13.9089 8.26693 14 8.75 14C9.22396 14 9.67513 13.9089 10.1035 13.7266C10.5319 13.5352 10.901 13.2845 11.2109 12.9746C11.5299 12.6556 11.7806 12.2865 11.9629 11.8672C12.1543 11.4388 12.25 10.9831 12.25 10.5ZM0 20.5625C0 20.1888 0.0638021 19.8197 0.191406 19.4551C0.31901 19.0814 0.501302 18.7533 0.738281 18.4707C0.97526 18.179 1.25781 17.9466 1.58594 17.7734C1.92318 17.5911 2.29232 17.5 2.69336 17.5H14.8066C15.2077 17.5 15.5723 17.5911 15.9004 17.7734C16.2376 17.9466 16.5247 18.179 16.7617 18.4707C16.9987 18.7533 17.181 19.0814 17.3086 19.4551C17.4362 19.8197 17.5 20.1888 17.5 20.5625C17.5 21.9753 17.1855 23.224 16.5566 24.3086C15.9277 25.3841 14.9935 26.2591 13.7539 26.9336C12.9883 27.3529 12.1771 27.6354 11.3203 27.7812C10.4635 27.9271 9.60677 28 8.75 28C7.98438 28 7.21419 27.9362 6.43945 27.8086C5.67383 27.681 4.9401 27.4714 4.23828 27.1797C3.54557 26.8789 2.90755 26.487 2.32422 26.0039C1.75 25.5117 1.27148 24.9056 0.888672 24.1855C0.597005 23.6204 0.373698 23.0326 0.21875 22.4219C0.0729167 21.8112 0 21.1914 0 20.5625ZM15.75 20.5625C15.75 20.4349 15.7272 20.2936 15.6816 20.1387C15.6452 19.9837 15.5859 19.8424 15.5039 19.7148C15.431 19.5781 15.3353 19.4688 15.2168 19.3867C15.0983 19.2956 14.9616 19.25 14.8066 19.25H2.69336C2.53841 19.25 2.40169 19.2956 2.2832 19.3867C2.16471 19.4688 2.06445 19.5781 1.98242 19.7148C1.90951 19.8424 1.85026 19.9837 1.80469 20.1387C1.76823 20.2936 1.75 20.4349 1.75 20.5625C1.75 21.6016 1.94141 22.4857 2.32422 23.2148C2.70703 23.9349 3.21745 24.5228 3.85547 24.9785C4.5026 25.4251 5.24544 25.7487 6.08398 25.9492C6.93164 26.1497 7.82031 26.25 8.75 26.25C9.67969 26.25 10.5638 26.1497 11.4023 25.9492C12.25 25.7487 12.9928 25.4251 13.6309 24.9785C14.278 24.5228 14.793 23.9349 15.1758 23.2148C15.5586 22.4857 15.75 21.6016 15.75 20.5625Z" fill="#0883D9"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.6 KiB

7
windows/configuration/images/icons/xml.svg Normal file
View File

@ -0,0 +1,7 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M3.46385 12.006L1.41972 14.0625L3.46272 16.11L2.66735 16.9054L0.224976 14.4596V13.6643L2.66622 11.2129L3.46385 12.006ZM9.79985 11.2185L9.01235 12.0161L11.0666 14.0625L9.00672 16.11L9.79985 16.9076L12.2625 14.463V13.6654L9.79985 11.2185ZM4.5281 17.2598L5.59685 17.6153L7.84685 10.8653L6.7781 10.5098L4.5281 17.2598Z" fill="#0883D9"/>
<g opacity="0.75">
<path d="M15.5858 4.66425L12.2108 1.28925L11.8125 1.125H2.8125L2.25 1.6875V10.125H3.375V2.25H11.25V5.625H14.625V15.75H12.5618L11.43 16.875H15.1875L15.75 16.3125V5.0625L15.5858 4.66425Z" fill="#0883D9"/>
<path opacity="0.1" d="M15.1875 5.0625V16.3125H11.9959L13.3875 14.931V13.1985L10.125 10.125H2.8125V1.6875H11.8125L15.1875 5.0625Z" fill="#0883D9"/>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 820 B

BIN
windows/configuration/images/insider.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/configuration/images/windows-update.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

17
windows/configuration/includes/cfr-note.md Normal file
View File

@ -0,0 +1,17 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.topic: include
ms.date: 04/01/2025
---
:::row:::
:::column span="1":::
:::image type="content" source="../images/windows-update.png" alt-text="Logo of Windows Update." border="false":::
:::column-end:::
:::column span="3":::
> [!IMPORTANT]
>This article describes a Windows feature that is currently being rolled out using Controlled Feature Rollout (CFR) technology. If your device doesn't have the described feature yet, check again at a later time. For more information, see [Delivering continuous innovation in Windows](https://support.microsoft.com/topic/b0aa0a27-ea9a-4365-9224-cb155e517f12).
:::column-end:::
:::row-end:::

16
windows/configuration/includes/insider-note.md Normal file
View File

@ -0,0 +1,16 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.topic: include
ms.date: 01/11/2024
---
:::row:::
:::column span="1":::
:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false":::
:::column-end:::
:::column span="3":::
> [!IMPORTANT]
>This article describes features or settings that are under development and only applicable to [Windows Insider Preview builds](/windows-insider/). The content is subject to change and may have dependencies on other features or services in preview.
:::column-end:::
:::row-end:::

6
windows/configuration/keyboard-filter/index.md
View File

@ -1,7 +1,7 @@
--- ---
title: Keyboard Filter title: Keyboard Filter
description: Keyboard Filter description: Keyboard Filter
ms.date: 01/13/2025 ms.date: 03/20/2025
ms.topic: overview ms.topic: overview
--- ---
@ -120,7 +120,7 @@ For more information about Keyboard Filter WMI providers, see [Keyboard Filter W
You may need to sign in to a locked down device with a different account in order to service or configure the device. You can configure a breakout key to break out of a locked down account by specifying a key scan code. A user can press this key consecutively five times to switch to the Welcome screen so that you can sign in to a different account. You may need to sign in to a locked down device with a different account in order to service or configure the device. You can configure a breakout key to break out of a locked down account by specifying a key scan code. A user can press this key consecutively five times to switch to the Welcome screen so that you can sign in to a different account.
The breakout key is set to the scan code for the left Windows logo key by default. You can use the [WEKF_Settings](wekf-settings.md) WMI class to change the breakout key scan code. If you change the breakout key scan code, you must restart the device before the change takes effect. The breakout key is set to the scan code for the left Windows key by default. You can use the [WEKF_Settings](wekf-settings.md) WMI class to change the breakout key scan code. If you change the breakout key scan code, you must restart the device before the change takes effect.
## Keyboard Filter considerations ## Keyboard Filter considerations
@ -132,7 +132,7 @@ Some hardware keys, such as rotation lock, don't have a defined virtual key. You
The add (+), multiply (\*), subtract (-), divide (/), and decimal (.) keys have different virtual keys and scan codes on the numeric keypad than on the main keyboard. You must block both keys to block these keys. For example, to block the multiply key, you must add a rule to block "\*" and a rule to block Multiply. The add (+), multiply (\*), subtract (-), divide (/), and decimal (.) keys have different virtual keys and scan codes on the numeric keypad than on the main keyboard. You must block both keys to block these keys. For example, to block the multiply key, you must add a rule to block "\*" and a rule to block Multiply.
When locking the screen by using the on-screen keyboard, or a combination of a physical keyboard and the on-screen keyboard, the on-screen keyboard sends an extra Windows logo key keystroke to the OS. If your device is using the Windows 10 shell and you use keyboard filter to block Windows logo key+L, the extra Windows logo key keystroke causes the shell to switch between the **Start** screen and the last active app when a user attempts to lock the device by using the on-screen keyboard, which may be unexpected behavior. When locking the screen by using the on-screen keyboard, or a combination of a physical keyboard and the on-screen keyboard, the on-screen keyboard sends an extra Windows key keystroke to the OS. If your device is using the Windows 10 shell and you use keyboard filter to block Windows key+L, the extra Windows key keystroke causes the shell to switch between the **Start** screen and the last active app when a user attempts to lock the device by using the on-screen keyboard, which may be unexpected behavior.
Some custom keyboard software, such as Microsoft IntelliType Pro, can install Keyboard Filter drivers that prevent Keyboard Filter from being able to block some or all keys, typically extended keys like BrowserHome and Search. Some custom keyboard software, such as Microsoft IntelliType Pro, can install Keyboard Filter drivers that prevent Keyboard Filter from being able to block some or all keys, typically extended keys like BrowserHome and Search.

92
windows/configuration/keyboard-filter/predefined-key-combinations.md
View File

@ -1,7 +1,7 @@
--- ---
title: Predefined key combinations title: Predefined key combinations
description: Predefined key combinations description: Predefined key combinations
ms.date: 01/13/2025 ms.date: 03/20/2025
ms.topic: reference ms.topic: reference
--- ---
@ -21,7 +21,7 @@ The following table contains predefined key combinations for accessibility:
|:-------------------------------------|:--------------------------|:----------------------------| |:-------------------------------------|:--------------------------|:----------------------------|
| Left Alt + Left Shift + Print Screen | **LShift+LAlt+PrintScrn** | Open High Contrast. | | Left Alt + Left Shift + Print Screen | **LShift+LAlt+PrintScrn** | Open High Contrast. |
| Left Alt + Left Shift + Num Lock | **LShift+LAlt+NumLock** | Open Mouse Keys. | | Left Alt + Left Shift + Num Lock | **LShift+LAlt+NumLock** | Open Mouse Keys. |
| Windows logo key + U | **Win+U** | Open Ease of Access Center. | | Windows key + U | **Win+U** | Open Ease of Access Center. |
## Application keys ## Application keys
@ -31,7 +31,7 @@ The following table contains predefined key combinations for controlling applica
|:----------------------|:----------------------|:-------------------| |:----------------------|:----------------------|:-------------------|
| Alt + F4 | **Alt+F4** | Close application. | | Alt + F4 | **Alt+F4** | Close application. |
| Ctrl + F4 | **Ctrl+F4** | Close window. | | Ctrl + F4 | **Ctrl+F4** | Close window. |
| Windows logo key + F1 | **Win+F1** | Open Windows Help. | | Windows key + F1 | **Win+F1** | Open Windows Help. |
## Shell keys ## Shell keys
@ -41,47 +41,47 @@ The following table contains predefined key combinations for general UI control:
|:---------------------------------------|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------| |:---------------------------------------|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------|
| Alt + Spacebar | **Alt+Space** | Open shortcut menu for the active window. | | Alt + Spacebar | **Alt+Space** | Open shortcut menu for the active window. |
| Ctrl + Esc | **Ctrl+Esc** | Open the Start screen. | | Ctrl + Esc | **Ctrl+Esc** | Open the Start screen. |
| Ctrl + Windows logo key + F | **Ctrl+Win+F** | Open Find Computers. | | Ctrl + Windows key + F | **Ctrl+Win+F** | Open Find Computers. |
| Windows logo key + Break | **Win+Break** | Open System dialog box. | | Windows key + Break | **Win+Break** | Open System dialog box. |
| Windows logo key + E | **Win+E** | Open Windows Explorer. | | Windows key + E | **Win+E** | Open Windows Explorer. |
| Windows + F | **Win+F** | Open Search. | | Windows + F | **Win+F** | Open Search. |
| Windows logo key + P | **Win+P** | Cycle through Presentation Mode. Also blocks the Windows logo key + Shift + P and the Windows logo key + Ctrl + P key combinations. | | Windows key + P | **Win+P** | Cycle through Presentation Mode. Also blocks the Windows key + Shift + P and the Windows key + Ctrl + P key combinations. |
| Windows logo key + R | **Win+R** | Open Run dialog box. | | Windows key + R | **Win+R** | Open Run dialog box. |
| Alt + Tab | **Alt+Tab** | Switch task. Also blocks the Alt + Shift + Tab key combination. | | Alt + Tab | **Alt+Tab** | Switch task. Also blocks the Alt + Shift + Tab key combination. |
| Ctrl + Tab | **Ctrl+Tab** | Switch window. | | Ctrl + Tab | **Ctrl+Tab** | Switch window. |
| Windows logo key + Tab | **Win+Tab** | Cycle through Microsoft Store apps. Also blocks the Windows logo key + Ctrl + Tab and Windows logo key + Shift + Tab key combinations. | | Windows key + Tab | **Win+Tab** | Cycle through Microsoft Store apps. Also blocks the Windows key + Ctrl + Tab and Windows key + Shift + Tab key combinations. |
| Windows logo key + D | **Win+D** | Show desktop. | | Windows key + D | **Win+D** | Show desktop. |
| Windows logo key + M | **Win+M** | Minimize all windows. | | Windows key + M | **Win+M** | Minimize all windows. |
| Windows logo key + Home | **Win+Home** | Minimize or restore all inactive windows. | | Windows key + Home | **Win+Home** | Minimize or restore all inactive windows. |
| Windows logo key + T | **Win+T** | Set focus on taskbar and cycle through programs. | | Windows key + T | **Win+T** | Set focus on taskbar and cycle through programs. |
| Windows logo key + B | **Win+B** | Set focus in the notification area. | | Windows key + B | **Win+B** | Set focus in the notification area. |
| Windows logo key + Minus Sign | **Win+-** | Zoom out. | | Windows key + Minus Sign | **Win+-** | Zoom out. |
| Windows logo key + Plus Sign | **Win++** | Zoom in. | | Windows key + Plus Sign | **Win++** | Zoom in. |
| Windows logo key + Esc | **Win+Esc** | Close Magnifier application. | | Windows key + Esc | **Win+Esc** | Close Magnifier application. |
| Windows logo key + Up Arrow | **Win+Up** | Maximize the active window. | | Windows key + Up Arrow | **Win+Up** | Maximize the active window. |
| Windows logo key + Down Arrow | **Win+Down** | Minimize the active window. | | Windows key + Down Arrow | **Win+Down** | Minimize the active window. |
| Windows logo key + Left Arrow | **Win+Left** | Snap the active window to the left half of screen. | | Windows key + Left Arrow | **Win+Left** | Snap the active window to the left half of screen. |
| Windows logo key + Right Arrow | **Win+Right** | Snap the active window to the right half of screen. | | Windows key + Right Arrow | **Win+Right** | Snap the active window to the right half of screen. |
| Windows logo key + Shift + Up Arrow | **Win+Shift+Up** | Maximize the active window vertically. | | Windows key + Shift + Up Arrow | **Win+Shift+Up** | Maximize the active window vertically. |
| Windows logo key + Shift + Down Arrow | **Win+Shift+Down** | Minimize the active window. | | Windows key + Shift + Down Arrow | **Win+Shift+Down** | Minimize the active window. |
| Windows logo key + Shift + Left Arrow | **Win+Shift+Left** | Move the active window to left monitor. | | Windows key + Shift + Left Arrow | **Win+Shift+Left** | Move the active window to left monitor. |
| Windows logo key + Shift + Right Arrow | **Win+Shift+Right** | Move the active window to right monitor. | | Windows key + Shift + Right Arrow | **Win+Shift+Right** | Move the active window to right monitor. |
| Windows logo key + Spacebar | **Win+Space** | Switch layout. | | Windows key + Spacebar | **Win+Space** | Switch layout. |
| Windows logo key + O | **Win+O** | Lock device orientation. | | Windows key + O | **Win+O** | Lock device orientation. |
| Windows logo key + Page Up | **Win+PageUp** | Move a Microsoft Store app to the left monitor. | | Windows key + Page Up | **Win+PageUp** | Move a Microsoft Store app to the left monitor. |
| Windows logo key + Page Down | **Win+PageDown** | Move a Microsoft Store app to right monitor. | | Windows key + Page Down | **Win+PageDown** | Move a Microsoft Store app to right monitor. |
| Windows logo key + Period | **Win+.** | Snap the current screen to the left or right gutter. Also blocks the Windows logo key + Shift + Period key combination. | | Windows key + Period | **Win+.** | Snap the current screen to the left or right gutter. Also blocks the Windows key + Shift + Period key combination. |
| Windows logo key + C | **Win+C** | Activate Cortana in listening mode (after user has enabled the shortcut through the UI). | | Windows key + C | **Win+C** | Activate Cortana in listening mode (after user has enabled the shortcut through the UI). |
| Windows logo key + I | **Win+I** | Open Settings charm. | | Windows key + I | **Win+I** | Open Settings charm. |
| Windows logo key + K | **Win+K** | Open Connect charm. | | Windows key + K | **Win+K** | Open Connect charm. |
| Windows logo key + H | **Win+H** | Start dictation. | | Windows key + H | **Win+H** | Start dictation. |
| Windows logo key + Q | **Win+Q** | Open Search charm. | | Windows key + Q | **Win+Q** | Open Search charm. |
| Windows logo key + W | **Win+W** | Open Windows Ink workspace. | | Windows key + W | **Win+W** | Open Windows Ink workspace. |
| Windows logo key + Z | **Win+Z** | Open app bar. | | Windows key + Z | **Win+Z** | Open app bar. |
| Windows logo key + / | **Win+/** | Open input method editor (IME). | | Windows key + / | **Win+/** | Open input method editor (IME). |
| Windows logo key + J | **Win+J** | Swap between snapped and filled applications. | | Windows key + J | **Win+J** | Swap between snapped and filled applications. |
| Windows logo key + Comma | **Win+,** | Peek at the desktop. | | Windows key + Comma | **Win+,** | Peek at the desktop. |
| Windows logo key + V | **Win+V** | Cycle through toasts in reverse order. | | Windows key + V | **Win+V** | Cycle through toasts in reverse order. |
## Modifier keys ## Modifier keys
@ -93,7 +93,7 @@ The following table contains predefined key combinations for modifier keys (such
| Application | **Application** | Application key | | Application | **Application** | Application key |
| Ctrl | **Ctrl** | Both Ctrl keys | | Ctrl | **Ctrl** | Both Ctrl keys |
| Shift | **Shift** | Both Shift keys | | Shift | **Shift** | Both Shift keys |
| Windows logo key | **Windows** | Both Windows logo keys | | Windows key | **Windows** | Both Windows keys |
## Security keys ## Security keys
@ -103,7 +103,7 @@ The following table contains predefined key combinations for OS security:
|:-----------------------|:----------------------|:----------------------------------| |:-----------------------|:----------------------|:----------------------------------|
| Ctrl + Alt + Delete | **Ctrl+Alt+Del** | Open the Windows Security screen. | | Ctrl + Alt + Delete | **Ctrl+Alt+Del** | Open the Windows Security screen. |
| Ctrl + Shift + Esc | **Shift+Ctrl+Esc** | Open Task Manager. | | Ctrl + Shift + Esc | **Shift+Ctrl+Esc** | Open Task Manager. |
| Windows logo key + L | **Win+L** | Lock the device. | | Windows key + L | **Win+L** | Lock the device. |
## Extended shell keys ## Extended shell keys
@ -150,9 +150,9 @@ The following table contains predefined key combinations for Microsoft Surface d
| Key combination | WEKF_PredefinedKey.Id | Blocked key | | Key combination | WEKF_PredefinedKey.Id | Blocked key |
|:------------------------------|:----------------------|:-------------| |:------------------------------|:----------------------|:-------------|
| Left Alt + Windows logo key | **AltWin** | Share key | | Left Alt + Windows key | **AltWin** | Share key |
| Left Ctrl + Windows logo key | **CtrlWin** | Devices key | | Left Ctrl + Windows key | **CtrlWin** | Devices key |
| Left Shift + Windows logo key | **ShiftWin** | Search key | | Left Shift + Windows key | **ShiftWin** | Search key |
| F21 | **F21** | Settings key | | F21 | **F21** | Settings key |
## Related topics ## Related topics

6
windows/configuration/keyboard-filter/wekf-settings.md
View File

@ -1,7 +1,7 @@
--- ---
title: WEKF_Settings title: WEKF_Settings
description: WEKF_Settings description: WEKF_Settings
ms.date: 01/13/2025 ms.date: 03/20/2025
ms.topic: reference ms.topic: reference
--- ---
@ -43,7 +43,7 @@ The following table lists all settings available for Keyboard Filter.
|--------------|-------------| |--------------|-------------|
| **DisableKeyboardFilterForAdministrators** | This setting specifies whether Keyboard Filter is enabled or disabled for administrator accounts. Set to **true** to disable Keyboard Filter for administrator accounts; otherwise, set to **false**. Set to **true** by default. | | **DisableKeyboardFilterForAdministrators** | This setting specifies whether Keyboard Filter is enabled or disabled for administrator accounts. Set to **true** to disable Keyboard Filter for administrator accounts; otherwise, set to **false**. Set to **true** by default. |
| **ForceOffAccessibility** | This setting specifies whether Keyboard Filter blocks users from enabling Ease of Access features. Set to **true** to force disabling the Ease of Access features. Set to **false** to allow enabling the Ease of Access features. Set to **false** by default.</br>Changing this setting to **false** doesn't automatically enable Ease of Access features; you must manually enable them. | | **ForceOffAccessibility** | This setting specifies whether Keyboard Filter blocks users from enabling Ease of Access features. Set to **true** to force disabling the Ease of Access features. Set to **false** to allow enabling the Ease of Access features. Set to **false** by default.</br>Changing this setting to **false** doesn't automatically enable Ease of Access features; you must manually enable them. |
| **BreakoutKeyScanCode** | This setting specifies the scan code of the key that enables a user to break out of an account that is locked down with Keyboard Filter. A user can press this key consecutively five times to switch to the Welcome screen.</br>By default, the BreakoutKeyScanCode is set to the scan code for the left Windows logo key. | | **BreakoutKeyScanCode** | This setting specifies the scan code of the key that enables a user to break out of an account that is locked down with Keyboard Filter. A user can press this key consecutively five times to switch to the Welcome screen.</br>By default, the BreakoutKeyScanCode is set to the scan code for the left Windows key. |
One instance of the **WEKF_Settings** class exists for each valid setting. One instance of the **WEKF_Settings** class exists for each valid setting.
@ -51,7 +51,7 @@ Changes to the **DisableKeyboardFilterForAdministrator** setting are applied whe
Changes to the **BreakoutKeyScanCode** setting don't take effect until you restart the device. Changes to the **BreakoutKeyScanCode** setting don't take effect until you restart the device.
If the **BreakoutKeyScanCode** is set to the scan code for either the left Windows logo key or the right Windows logo key, both Windows Logo keys will work as the breakout key. If the **BreakoutKeyScanCode** is set to the scan code for either the left Windows key or the right Windows key, both Windows keys will work as the breakout key.
The **BreakoutKeyScanCode** setting only applies to accounts where Keyboard Filter is active. If the scan code is set to a value that doesn't map to any key, such as 0 (zero), then you must use another method to access the Welcome screen if you need to service the device, such as remotely connecting, or restarting the device if automatic sign-in isn't enabled. The **BreakoutKeyScanCode** setting only applies to accounts where Keyboard Filter is active. If the scan code is set to a value that doesn't map to any key, such as 0 (zero), then you must use another method to access the Welcome screen if you need to service the device, such as remotely connecting, or restarting the device if automatic sign-in isn't enabled.

BIN
windows/configuration/quick-machine-recovery/images/auto-remediation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/configuration/quick-machine-recovery/images/boot-recovery.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/configuration/quick-machine-recovery/images/diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 216 KiB

BIN
windows/configuration/quick-machine-recovery/images/quick-machine-recovery-network.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/configuration/quick-machine-recovery/images/quick-machine-recovery-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/configuration/quick-machine-recovery/images/quick-machine-recovery-test-mode.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/configuration/quick-machine-recovery/images/quick-machine-recovery-winre.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/configuration/quick-machine-recovery/images/update-history.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

243
windows/configuration/quick-machine-recovery/index.md Normal file
View File

@ -0,0 +1,243 @@
---
title: Quick Machine Recovery
description: Learn about quick machine recovery and how to configure it with the RemoteRemediation configuration service provider (CSP).
ms.topic: how-to
ms.date: 04/02/2025
ms.author: paoloma
author: paolomatarazzo
appliesto:
- "✅ <a href=\"https://learn.microsoft.com/windows-insider/flight-hub\" target=\"_blank\">Windows Insider (Beta Channel)</a>"
---
# Quick machine recovery
[!INCLUDE [insider-note](../includes/insider-note.md)]
Quick machine recovery is a feature that enables the recovery of Windows devices when they encounter critical errors that prevent them from booting. This feature can automatically search for remediations in the cloud and recover from widespread boot failures, significantly reducing the burden on IT administrators when multiple devices are affected.
Building on the foundation of [Startup Repair][SMC-1], quick machine recovery uses a secure and connected [Windows Recovery Environment][SMC-2] to scan Windows Update for remediation options. This allows devices to be recovered without requiring manual intervention.
## How it works
There are two main settings of quick machine recovery: cloud remediation and auto remediation.
### Cloud remediation
:::row:::
:::column span="3":::
Cloud remediation is the process of using Windows Update to find remediations and fix issues on devices:
- When enabled, devices connect to the network and utilize Windows Update during recovery scenarios
- When disabled, Windows uses Startup Repair as a local recovery option
:::column-end:::
:::column span="1":::
:::image type="content" source="images/quick-machine-recovery-network.png" alt-text="Screenshot of quick machine recovery boot while attempting to connect to the network." border="false" lightbox="images/quick-machine-recovery-network.png":::
:::column-end:::
:::row-end:::
> [!NOTE]
> Quick machine recovery is a best-effort feature. It might not always be able to find a solution for every issue.
### Auto remediation
:::row:::
:::column span="3":::
Auto remediation allows you to automate the recovery process:
- When enabled, the device connects automatically to Windows Update and tries to find a remediation. If a solution isn't found on the first attempt, the device retries without requiring manual intervention
:::column-end:::
:::column span="1":::
:::image type="content" source="images/auto-remediation.png" alt-text="Screnshot of the Windows Recovery Environment in the auto remediation screen, showing that the device retries to find a solution." border="false" lightbox="images/auto-remediation.png":::
:::row-end:::
:::row:::
:::column span="3":::
- When disabled or not configured, the device requires manual intervention to continue the recovery process
:::column-end:::
:::column span="1":::
:::image type="content" source="images/quick-machine-recovery-winre.png" alt-text="Screnshot of Windows Recovery Environment showing the quick machine recovery option." border="false" lightbox="images/quick-machine-recovery-winre.png":::
:::row-end:::
### Quick machine recovery process
Here are the phases of the quick machine recovery process:
1. **Device crash**: When the device fails to boot repeatedly, the system automatically detects the issue and initiates the recovery process
1. **Boot to recovery**: The device boots into the recovery environment to initiate the quick machine recovery process
1. **Network connection**: After a network connection is established, the device scans Windows Update for remediations
1. **Remediation**
- If no solution is found, the system retries the process based on the configured retry scanning intervals and time-outs
- If a solution is found, the system downloads and applies it
1. **Reboot**: After a remediation is applied, the device reboots:
- If the solution is successful, the device boots into Windows
- If the solution fails, the device reboots into the recovery environment again and the process repeats from step 2
:::image type="content" source="images/diagram.png" alt-text="Diagram of quick machine recovery showing the five phases of recovery." border="false" lightbox="images/diagram.png":::
## Configuration
Cloud remediation is enabled by default on Windows Home edition devices, while auto remediation is turned off by default. For Windows Pro and Enterprise editions, both cloud remediation and auto remediation are disabled by default. Organizations can decide the best configuration for their devices based on their specific needs.
The configuration options consist of:
- Enable or disable cloud remediation
- Enable or disable auto remediation
- Configure auto remediation scanning intervals and time-outs to optimize remediation triggers
- Configure network connections to ensure smooth recovery workflows
> [!IMPORTANT]
> Currently, only wired and WPA/WPA2 password-based Wi-Fi networks are supported. Ensure your network uses this configuration for compatibility.
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
# [:::image type="icon" source="../images/icons/cmd.svg"::: **Command prompt**](#tab/cmd)
To configure quick machine recovery using the command line, you must create an XML file with the desired settings and then use the `reagentc.exe` command to apply those settings.
Use the following command to apply the settings:
```cmd
reagentc.exe /setrecoverysettings /path settings.xml
```
Where `settings.xml` is the path to the XML file containing the quick machine recovery configuration.
### XML file example
The following XML file example configures quick machine recovery with the following settings:
- The Wi-Fi network has an SSID `ContosoWiFi` and a password `ContosoWiFiPassword`
- Cloud remediation is enabled (`state="1"`)
- Auto remediation is enabled (`state="1"`)
- The `totalwaittime` is set to 2,400 minutes (40 hours) and the `waitinterval` is set to 120 minutes (2 hours). Once configured, the system waits for 40 hours before rebooting, and it checks for remediation every 2 hours
```xml
<?xml version='1.0' encoding='utf-8'?>
<WindowsRE>
<WifiCredential>
<Wifi ssid="ContosoWiFi" password="ContosoWiFiPassword" />
</WifiCredential>
<CloudRemediation state="1" />
<AutoRemediation state="1" totalwaittime="2400" waitinterval="120"/>
</WindowsRE>
```
### Remove recovery settings
To remove the configured recovery settings, run the following command from an elevated command prompt:
```cmd
reagentc.exe /clearrecoverysettings
```
# [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
You can configure devices using a [custom policy][INT-1] with the [RemoteRemediation CSP][CSP-1].
### Cloud remediation configuration
Enable or disable cloud remediation using the following settings:
| Setting |
|--|
|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/EnableCloudRemediation`<br>- **Data type:** Boolean<br>- **Value:** `True`<br>- **Description**: When set to `True`, cloud remediation is enabled. |
### Auto remediation configuration
Configure the following settings to customize the auto remediation experience:
| Setting |
|--|
|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation`<br>- **Data type:** Boolean<br>- **Value:** `True`<br>- **Description**: When set to `True`, auto remediation is enabled. |
|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/SetTimeToReboot`<br>- **Data type:** Integer<br>- **Value:** 1-4320 (default = 180)<br>- **Description**: Configure the time to reboot (in minutes) during auto remediation. The maximum time to reboot possible is 72 hours.|
|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/SetRetryInterval`<br>- **Data type:** Integer<br>- **Value:** 1-4320 (default = 30)<br>- **Description**: Configure the retry interval (in minutes) during auto remediation. The retry interval shouldn't be higher than the time to reboot.|
### Wi-Fi network connection configuration
To configure the Wi-Fi network connection used during recovery, use the following settings:
|Setting|
|--|
|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkSSID`<br>- **Data type:** string<br>- **Value:** Wi-Fi network Service Set Identifier (SSID)|
|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPassword`<br>- **Data type:** string<br>- **Value:** Wi-Fi network password|
|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionType`<br>- **Data type:** Integer<br>- **Value:** `0` = The password isn't encrypted; `1` = The password is encrypted with the MDM certificate, `2` = The password is encrypted with custom certificate. When this value is used, you must also specify the custom store name in the `NetworkPasswordEncryptionStore` node.|
|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionStore`<br>- **Data type:** string<br>- **Value:** When a value of `2` is contained in `NetworkPasswordEncryptionType`, specify the store name where the certificate for decrypting the Network Password is stored.|
---
### Verify Recovery Settings
To check the configured recovery settings, run the following command from an elevated command prompt:
```cmd
reagentc.exe /getrecoverysettings
```
Output example:
```console
C:\>reagentc.exe /getrecoverysettings
<?xml version='1.0' encoding='utf-8'?>
<WindowsRE>
<WifiCredential>
<Wifi ssid="ContosoWiFi" password="ContosoWiFiPassword" />
</WifiCredential>
<CloudRemediation state="1" />
<AutoRemediation state="1" totalwaittime="2400" waitinterval="120"/>
</WindowsRE>
REAGENTC.EXE: Operation Successful.
```
## Test mode
:::row:::
:::column span="3":::
Quick machine recovery offers a *test mode*, providing a controlled, simulated environment for you to validate your configurations and the auto remediation process without triggering an actual system failure. Test mode allows you to verify that the recovery experience functions as expected before deployment to production systems.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/quick-machine-recovery-test-mode.png" alt-text="Screenshot of the Windows boot screen where quick machine recovery is attempting to connect to the network." border="false" lightbox="images/quick-machine-recovery-test-mode.png":::
:::column-end:::
:::row-end:::
To simulate the quick machine recovery experience, use the following commands from an elevated command prompt:
1. Enable test mode:
```cmd
reagentc.exe /SetRecoveryTestmode
```
1. Configure Windows to boot to Windows Recovery Environment on the next boot:
```cmd
reagentc.exe /BootToRe
```
1. Reboot your device. The system goes through autoremediation of a simulated crash and reboots back to Windows
> [!NOTE]
> If after reboot the device goes into Windows RE instead of starting test mode, follow these steps:
>
> 1. In Windows RE, select **Continue** to boot Windows normally
> 1. In Windows, execute the two commands:
>
> - `reagentc.exe /Disable`
> - `reagentc.exe /Enable`
>
> 1. Retry the quick machine recovery simulation starting from step 1
1. To verify the quick machine recovery remediation, go to **Settings** > **Windows Update** > **[Update history](ms-settings:windowsupdate-history)**. The remediation should be listed under **Quality updates**
:::image type="content" source="images/update-history.png" border="false" lightbox="images/update-history.png" alt-text="Screenshot of the Setting app - Windows Update - showing the installation of a quick machie recovery update.":::
### :::image type="icon" source="../images/icons/feedback.svg" border="false"::: Provide feedback
To provide feedback for quick machine recovery, open [**Feedback Hub**][FHUB] and use the category **Recovery and Uninstall** > **Quick Machine Recovery**.
<!--links-->
[SMC-1]: https://support.microsoft.com/topic/85deb0b9-fa3d-44a3-a3d0-d0f1515c2c9b
[SMC-2]: https://support.microsoft.com/topic/0eb14733-6301-41cb-8d26-06a12b42770b
[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
[CSP-1]: /windows/client-management/mdm/remoteremediation-csp
[INT-1]: /mem/intune/configuration/settings-catalog

2
windows/configuration/start/includes/clear-tile-notifications-during-log-on.md
View File

@ -11,5 +11,5 @@ If you enable this policy setting, the system deletes tile notifications when th
| | Path | | | Path |
|--|--| |--|--|
| **CSP** | ./Device/Vendor/MSFT/[Setting]() | | **CSP** | Not available. |
| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |

2
windows/configuration/start/includes/configure-start-layout.md
View File

@ -11,7 +11,7 @@ This policy setting lets you specify the Start layout for users, preventing them
| | Path | | | Path |
|--|--| |--|--|
| **CSP** | [Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout) | | **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-start#configurestartpins)<br><br>`./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-start#configurestartpins)|
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br> **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | | **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br> **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
For more information, see [Customize the Start layout](../layout.md). For more information, see [Customize the Start layout](../layout.md).

2
windows/configuration/start/includes/do-not-use-the-search-based-method-when-resolving-shell-shortcuts.md
View File

@ -11,5 +11,5 @@ This policy setting prevents the system from conducting a comprehensive search o
| | Path | | | Path |
|--|--| |--|--|
| **CSP** | ./Device/Vendor/MSFT/[Setting]() | | **CSP** | Not available. |
| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Do not use the search-based method when resolving shell shortcuts** | | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Do not use the search-based method when resolving shell shortcuts** |

2
windows/configuration/start/includes/do-not-use-the-tracking-based-method-when-resolving-shell-shortcuts.md
View File

@ -11,5 +11,5 @@ This policy setting prevents the system from using NTFS tracking features to res
| | Path | | | Path |
|--|--| |--|--|
| **CSP** | ./Device/Vendor/MSFT/[Setting]() | | **CSP** | Not available. |
| **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Do not use the tracking-based method when resolving shell shortcuts** | | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Do not use the tracking-based method when resolving shell shortcuts** |

26
windows/configuration/start/layout.md
View File

@ -446,7 +446,7 @@ Learn how to [Find the Application User Model ID of an installed app](../store/f
::: zone pivot="windows-10" ::: zone pivot="windows-10"
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune-10) #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune**](#tab/intune-10)
To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings: To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings:
@ -457,20 +457,20 @@ To configure devices with Microsoft Intune, [create a Settings catalog policy](/
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] [!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [Start CSP][WIN-1]. Use one of the following settings: #### [:::image type="icon" source="../images/icons/csp.svg"::: **CSP**](#tab/csp-10)
You can configure devices using the [Start CSP][WIN-1]. Use one of the following settings:
| Setting | | Setting |
|--| |--|
| - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **String:** <br>- **Value:** content of the XML file | | - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **Data type:** String <br>- **Value:** content of the XML file |
| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **Data type:** <br>- **Value:** content of the XML file | | - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **Data type:** String <br>- **Value:** content of the XML file |
[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg-10) #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg-10)
[!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)] [!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **Path:** `Policies/Start/StartLayout` - **Path:** Policies > Start > StartLayout
- **Value:** content of the XML file - **Value:** content of the XML file
> [!NOTE] > [!NOTE]
@ -572,7 +572,7 @@ The GPO applies the Start and taskbar layout at the next user sign-in. Each time
> [!IMPORTANT] > [!IMPORTANT]
> The JSON file can be applied to devices using the [Start policy CSP][WIN-1] only. It's not possible to apply the JSON file using group policy. > The JSON file can be applied to devices using the [Start policy CSP][WIN-1] only. It's not possible to apply the JSON file using group policy.
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune-11) #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune**](#tab/intune-11)
To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings: To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings:
@ -583,14 +583,14 @@ To configure devices with Microsoft Intune, [create a Settings catalog policy](/
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] [!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [Start CSP][WIN-1]. Use one of the following settings: #### [:::image type="icon" source="../images/icons/csp.svg"::: **CSP**](#tab/csp-11)
You can configure devices using the [Start CSP][WIN-1]. Use one of the following settings:
| Setting | | Setting |
|--| |--|
| - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[ConfigureStartPins](/windows/client-management/mdm/policy-csp-Start#configurestartpins)<br>- **String:** <br>- **Value:** content of the JSON file | | - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[ConfigureStartPins](/windows/client-management/mdm/policy-csp-Start#configurestartpins)<br>- **Data type:** String <br>- **Value:** content of the JSON file |
| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[ConfigureStartPins](/windows/client-management/mdm/policy-csp-Start#configurestartpins)<br>- **Data type:** <br>- **Value:** content of the JSON file | | - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[ConfigureStartPins](/windows/client-management/mdm/policy-csp-Start#configurestartpins)<br>- **Data type:** String <br>- **Value:** content of the JSON file |
[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg-11) #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg-11)

1
windows/configuration/start/policy-settings.md
View File

@ -191,7 +191,6 @@ Select one of the tabs to see the list of available settings:
#### [:::image type="icon" source="../images/icons/power.svg"::: **Power options**](#tab/power) #### [:::image type="icon" source="../images/icons/power.svg"::: **Power options**](#tab/power)
::: zone pivot="windows-11" ::: zone pivot="windows-11"
|Policy name| CSP | GPO | |Policy name| CSP | GPO |
|-|-|-| |-|-|-|

16
windows/configuration/taskbar/pinned-apps.md
View File

@ -165,7 +165,7 @@ In the following XML example, two regions are added: `US|UK` and `DE|FR|IT`:
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] [!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune) #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings: To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings:
@ -176,14 +176,14 @@ To configure devices with Microsoft Intune, [create a Settings catalog policy](/
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] [!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][MEM-1] with the [Start CSP][WIN-1]. Use one of the following settings: #### [:::image type="icon" source="../images/icons/csp.svg"::: **CSP**](#tab/csp)
You can configure devices using the [Start CSP][WIN-1]. Use one of the following settings:
| Setting | | Setting |
|--| |--|
| - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **String:** <br>- **Value:** content of the XML file | | - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **Data type:** String <br>- **Value:** content of the XML file |
| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **Data type:** <br>- **Value:** content of the XML file | | - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **Data type:** String <br>- **Value:** content of the XML file |
[!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
#### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -214,7 +214,9 @@ The GPO applies the Start and taskbar layout at the next user sign-in. Each time
## User experience ## User experience
After the taskbar layout is applied, the users must sign out and sign in again to see the new layout. Unless prohibited via policy settings, users can pin more apps, change the order, and unpin apps from the taskbar. After the taskbar layout is applied, users must sign out and sign in again to see the new layout. Unless prohibited via policy settings, users can pin more apps, change the order, and unpin apps from the taskbar.
Any pins provisioned via policy settings are restored upon the next policy refresh, even when users unpin them.
### OS install and upgrade experience ### OS install and upgrade experience

3
windows/configuration/toc.yml
View File

@ -15,6 +15,8 @@ items:
href: settings/page-visibility.md href: settings/page-visibility.md
- name: Microsoft Store - name: Microsoft Store
href: store/toc.yml href: store/toc.yml
- name: Quick machine recovery
href: quick-machine-recovery/index.md
- name: Cellular settings - name: Cellular settings
href: cellular/provisioning-apn.md href: cellular/provisioning-apn.md
- name: Windows kiosk options - name: Windows kiosk options
@ -37,4 +39,3 @@ items:
href: custom-logon/index.md href: custom-logon/index.md
- name: Troubleshoot - name: Troubleshoot
href: custom-logon/troubleshoot.md href: custom-logon/troubleshoot.md

BIN
windows/configuration/unbranded-boot/images/boot.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/configuration/unbranded-boot/images/boot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.1 KiB

193
windows/configuration/unbranded-boot/index.md
View File

@ -1,160 +1,155 @@
--- ---
title: Unbranded Boot title: Unbranded Boot
description: Unbranded Boot description: Learn about Unbranded Boot, a feature that suppresses Windows elements that appear when Windows starts. Unbranded Boot can also suppress the crash screen when Windows encounters an error that it can't recover from.
ms.date: 09/10/2024 ms.date: 04/11/2025
ms.topic: overview ms.topic: how-to
--- ---
# Unbranded Boot # Unbranded Boot
You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error that it can't recover from. This feature is known as Unbranded Boot. Unbranded Boot is a Windows feature that allows you to suppress Windows elements that appear when Windows starts. It can also suppress the crash screen when Windows encounters an error that it can't recover from. This feature is useful for devices that are used in public spaces, such as kiosks and digital signs, where a clean and professional appearance is important.
[!INCLUDE [unbranded-boot](../../../includes/licensing/unbranded-boot.md)]
## Enable Unbranded Boot
Unbranded Boot is an optional component and isn't enabled by default in Windows. To configure it, you must first enable it.
There are different ways to enable Unbranded Boot, select the method that best fits your needs to learn more.
#### [:::image type="icon" source="../images/icons/control-panel.svg"::: **Control Panel**](#tab/control-panel1)
To enable Unbranded Boot using the Control Panel, follow these steps:
1. Open **Control Panel** > **Programs** > **Turn Windows features on or off** or use the command `optionalfeatures.exe`
1. Expand **Device Lockdown** and select **Unbranded Boot**
1. Select **OK** to enable Unbranded Boot
1. Restart your device to apply the changes
#### [:::image type="icon" source="../images/icons/powershell.svg"::: **PowerShell**](#tab/powershell1)
To enable Unbranded Boot using PowerShell, follow these steps:
1. Open a PowerShell window with administrator privileges
1. Run the following command:
```powershell
Enable-WindowsOptionalFeature -FeatureName Client-DeviceLockdown,Client-EmbeddedBootExp -Online
```
1. Restart your device to apply the changes
---
> [!IMPORTANT] > [!IMPORTANT]
> The first user to sign in to the device must be an administrator. This ensures that the **RunOnce** registry settings correctly apply the settings. Also, when using auto sign-in, you must not configure auto sign-in on your device at design time. Instead, auto sign-in should be configured manually after first signing in as an administrator. > The first user to sign in to the device must be an administrator. This ensures that the **RunOnce** registry settings correctly apply the settings. Also, when using auto sign-in, you must not configure auto sign-in on your device at design time. Instead, auto sign-in should be configured manually after first signing in as an administrator.
## Requirements ## Configure Unbranded Boot
Unbranded Boot can be enabled on: The following instructions provide details about how to configure your devices. Select the option that best suits your needs.
- Windows 10 Enterprise > [!NOTE]
- Windows 10 IoT Enterprise > If Windows is already installed, you can't apply a provisioning package to configure Unbranded Boot. Instead, you must use the command prompt to configure Unbranded Boot.
- Windows 10 Education
- Windows 11 Enterprise
- Windows 11 IoT Enterprise
- Windows 11 Education
## Terminology #### [:::image type="icon" source="../images/icons/cmd.svg"::: **Command prompt**](#tab/cmd)
- **Turn on, Enable:** To make the setting available to the device and optionally apply the settings to the device. Generally "turn on" is used in the user interface or control panel, whereas "enable" is used for command line. You can use the `bcdedit.exe` command to configure Unbranded Boot settings at runtime.
- **Configure:** To customize the setting or subsettings. > [!NOTE]
> `Bcdedit.exe` is a command-line tool for editing the Boot Configuration Data (BCD) of Windows. Administrator privileges are required to use BCDEdit to modify the BCD.
- **Embedded Boot Experience:** this feature is called "Embedded Boot Experience" in Windows 10, build 1511. 1. Open a command prompt as an administrator
1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu
- **Custom Boot Experience:** this feature is called "Custom Boot Experience" in Windows 10, build 1607 and later.
## Turn on Unbranded Boot settings
Unbranded Boot is an optional component and isn't enabled by default in Windows. It must be enabled prior to configuring.
If Windows has already been installed, you can't apply a provisioning package to configure Unbranded Boot; instead you must use BDCEdit to configure Unbranded boot if Windows is installed.
BCDEdit is the primary tool for editing the Boot Configuration Database (BCD) of Windows and is included in Windows in the %WINDIR%\\System32 folder. Administrator privileges are required to use BCDEdit to modify the BCD.
### Turn on Unbranded Boot by using Control Panel
1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Unbranded Boot**.
1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
1. Restart your device to apply the changes.
## Configure Unbranded Boot settings at runtime using BCDEdit
1. Open a command prompt as an administrator.
1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu.
```cmd ```cmd
bcdedit.exe -set {globalsettings} advancedoptions false bcdedit.exe -set {globalsettings} advancedoptions false
``` ```
1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu. 1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu
```cmd ```cmd
bcdedit.exe -set {globalsettings} optionsedit false bcdedit.exe -set {globalsettings} optionsedit false
``` ```
1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup. 1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup
```cmd ```cmd
bcdedit.exe -set {globalsettings} bootuxdisabled on bcdedit.exe -set {globalsettings} bootuxdisabled on
``` ```
1. Run the following command to suppress any error screens that are displayed during boot. If **noerrordisplay** is on and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen. 1. Run the following command to suppress any error screens that are displayed during boot. If `noerrordisplay` is set to `on` and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen
```cmd ```cmd
bcdedit.exe -set {bootmgr} noerrordisplay on bcdedit.exe -set {bootmgr} noerrordisplay on
``` ```
## Configure Unbranded Boot using Unattend #### [:::image type="icon" source="../images/icons/xml.svg"::: **Unattend**](#tab/unattend)
You can also configure the Unattend settings in the [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp) component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings in Microsoft-Windows-Embedded-BootExp. You can configure the Unattend settings in the `Microsoft-Windows-Embedded-BootExp` component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file.
### Unbranded Boot settings ### Unbranded Boot settings
The following table shows Unbranded Boot settings and their values. The following table lists Unbranded Boot settings and their values.
| Setting | Description | Value | | Setting | Description | Value |
|---------|-------------|-------| |---------|-------------|-------|
| DisableBootMenu | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the Advanced startup options menu. | Set to 1 to disable the menu; otherwise; set to 0 (zero). The default value is 0. | | `DisableBootMenu` | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the *Advanced startup options* menu. | - Set to `1` to disable the menu<br>- The default value is `0`|
| DisplayDisabled | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | Set to 1 to display a blank screen on error; otherwise; set to 0 (zero). The default value is 0. | | `DisplayDisabled` | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | - Set to `1` to display a blank screen on error<br>- The default value is `0`|
| HideAllBootUI | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | Set to 1 to suppress all Windows UI elements during startup; otherwise; set to 0 (zero). The default value is 0. | | `HideAllBootUI` | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | - Set to `1` to suppress all Windows UI elements during startup<br>- The default value is `0`|
| HideBootLogo | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | Set to 1 to suppress the default Windows logo; otherwise; set to 0 (zero). The default value is 0. | | `HideBootLogo` | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | - Set to `1` to suppress the default Windows logo<br>- The default value is `0`|
| HideBootStatusIndicator | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | Set to 1 to suppress the status indicator; otherwise; set to 0 (zero). The default value is 0. | | `HideBootStatusIndicator` | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | - Set to `1` to suppress the status indicator<br>- The default value is `0`|
| HideBootStatusMessage | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | Set to 1 to suppress the startup status text; otherwise; set to 0 (zero). The default value is 0. | | `HideBootStatusMessage` | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | - Set to `1` to suppress the startup status text<br>- The default value is `0`|
## Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM) For more information about the Unbranded Boot settings and XML examples, see the settings in [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp).
You must enable Unbranded boot on the installation media with DISM before you can apply settings for Unbranded boot using either Windows Configuration Designer or applying a provisioning package during setup. #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
1. Create a provisioning package or create a new Windows image in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM).
1. In the Available customizations page, select **Runtime settings** &gt; **SMISettings** and then set the value for the boot screen settings. The following values are just examples. You must enable Unbranded Boot on the installation media with DISM before you can apply settings for Unbranded Boot using either Windows Configuration Designer or applying a provisioning package during setup.
- **HideAllBootUI**=FALSE [!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
- **HideBootLogo**=FALSE
- **HideBootStatusIndicator**=TRUE
- **HideBootStatusMessage**=TRUE
- **CrashDumpEnabled**=Full dump
> [!TIP] |Path|Value|
> For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference. |---|---|
|`Runtime settings/SMISettings/HideAllBootUI`| `TRUE` or `FALSE`|
|`Runtime settings/SMISettings/HideBootLogo`| `TRUE` or `FALSE`|
|`Runtime settings/SMISettings/HideBootStatusIndicator`| `TRUE` or `FALSE`|
|`Runtime settings/SMISettings/HideBootStatusMessage`| `TRUE` or `FALSE`|
1. Once you have finished configuring the settings and building the package or image, you use DISM to apply the settings. > [!TIP]
1. Open a command prompt with administrator privileges. > For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference.
1. Copy install.wim to a temporary folder on hard drive (in the following steps, it assumes it's called c:\\wim).
1. Create a new directory.
```cmd Once you finish to configure the settings and building the package or image, use DISM to apply the settings:
md c:\wim
```
1. Mount the image. 1. Open a command prompt with administrator privileges
1. Copy `install.wim` to a temporary folder on the hard drive (for example, `c:\wim`)
1. Create a new directory to mount the image:
```cmd ```cmd
dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim md c:\wim
``` ```
1. Mount the image:
```cmd
dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
```
1. Enable the feature:
```cmd
dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp
```
1. Commit the change:
```cmd
dism /unmount-wim /MountDir:c:\wim /Commit
```
1. Enable the feature. ---
```cmd In the following image:
dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp
```
1. Commit the change. 1. `BootLogo` is outlined in green
1. `BootStatusIndicator` is outlined in red
1. `BootStatusMessage` is outlined in blue
```cmd :::image type="content" source="images/boot.png" alt-text="Screenshot of the boot screen showing the areas that can be configured with Unbranded Boot." border="false":::
dism /unmount-wim /MountDir:c:\wim /Commit
```
In the following image, the BootLogo is outlined in green, the BootStatusIndicator is outlined in red, and the BootStatusMessage is outlined in blue.
![unbranded boot screen](images/boot.jpg)
## Replace the startup logo ## Replace the startup logo
The only supported way to replace the startup logo with a custom logo is to modify the Boot Graphics Resource Table (BGRT) on a device that uses UEFI as the firmware interface. If your device uses the BGRT to include a custom logo, it's always displayed and you can't suppress the custom logo. The only supported way to replace the startup logo with a custom logo is to modify the Boot Graphics Resource Table (BGRT) on a device that uses UEFI as the firmware interface. If your device uses the BGRT to include a custom logo, it's always displayed and you can't suppress the custom logo.
## Suppress Errors During Boot
Errors that occur during early Windows Boot are typically a sign of bad device configuration or failing hardware and require user intervention to recover. You can suppress all error screens during early boot by enabling the **noerrordisplay** BCD setting.
1. Open a command prompt as an administrator.
1. Run the following command to suppress error screens during boot.
```cmd
bcdedit.exe -set {bootmgr} noerrordisplay on
```
## Related articles
- [Custom Logon](../custom-logon/index.md)

12
windows/deployment/TOC.yml
View File

@ -89,19 +89,19 @@ items:
href: update/waas-restart.md href: update/waas-restart.md
- name: Manage additional Windows Update settings - name: Manage additional Windows Update settings
href: update/waas-wu-settings.md href: update/waas-wu-settings.md
- name: Use Windows Update for Business - name: Use Windows Update client policies
items: items:
- name: What is Windows Update for Business? - name: What are Windows Update client policies?
href: update/waas-manage-updates-wufb.md href: update/waas-manage-updates-wufb.md
- name: Configure Windows Update for Business - name: Configure Windows Update client policies
href: update/waas-configure-wufb.md href: update/waas-configure-wufb.md
- name: Use Windows Update for Business and WSUS - name: Use Windows Update client policies and WSUS
href: update/wufb-wsus.md href: update/wufb-wsus.md
- name: Enforcing compliance deadlines for updates - name: Enforcing compliance deadlines for updates
href: update/wufb-compliancedeadlines.md href: update/wufb-compliancedeadlines.md
- name: Integrate Windows Update for Business with management solutions - name: Integrate Windows Update client policies with management solutions
href: update/waas-integrate-wufb.md href: update/waas-integrate-wufb.md
- name: Use group policy to configure Windows Update for Business - name: Use group policy to configure Windows Update client policies
href: update/waas-wufb-group-policy.md href: update/waas-wufb-group-policy.md
- name: Deploy updates using CSPs and MDM - name: Deploy updates using CSPs and MDM
href: update/waas-wufb-csp-mdm.md href: update/waas-wufb-csp-mdm.md

4
windows/deployment/do/TOC.yml
View File

@ -61,8 +61,10 @@
href: mcc-ent-uninstall-cache-node.md href: mcc-ent-uninstall-cache-node.md
- name: Resources - name: Resources
items: items:
- name: Frequent Asked Questions - name: Frequently Asked Questions
href: mcc-ent-faq.yml href: mcc-ent-faq.yml
- name: Connected Cache secure content delivery
href: mcc-ent-secure-content-delivery.md
- name: Troubleshooting - name: Troubleshooting
href: mcc-ent-troubleshooting.md href: mcc-ent-troubleshooting.md
- name: Microsoft Connected Cache for Enterprise and Education early preview - name: Microsoft Connected Cache for Enterprise and Education early preview

3
windows/deployment/do/delivery-optimization-endpoints.md
View File

@ -14,7 +14,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a> - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a> - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
- ✅ <a href=https://learn.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache target=_blank>Connected Cache on a Configuration Manager distribution point</a> - ✅ <a href=https://learn.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache target=_blank>Connected Cache on a Configuration Manager distribution point</a>
ms.date: 05/23/2024 ms.date: 04/15/2025
--- ---
# Microsoft Connected Cache content and services endpoints # Microsoft Connected Cache content and services endpoints
@ -39,3 +39,4 @@ Use the table below to reference any particular content types or services endpoi
| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure | | *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure |
| *.ubuntu.com, api.snapcraft.io | HTTP / 80 </br> HTTPs / 443 | Ubuntu package updates | Used by Linux distribution image in WSL on Windows host machine to deploy Connected Cache. | Connected Cache Managed in Azure | | *.ubuntu.com, api.snapcraft.io | HTTP / 80 </br> HTTPs / 443 | Ubuntu package updates | Used by Linux distribution image in WSL on Windows host machine to deploy Connected Cache. | Connected Cache Managed in Azure |
| packages.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Microsoft package updates | Used to deploy required Connected Cache packages to Windows and Linux host machines. | Connected Cache Managed in Azure | | packages.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Microsoft package updates | Used to deploy required Connected Cache packages to Windows and Linux host machines. | Connected Cache Managed in Azure |
| aka.ms, raw.githubusercontent.com | HTTPs / 443 | Azure IoT Identity Service | Checks the identity service version file is the latest version. | Connected Cache Managed in Azure |

0
windows/deployment/images/mcc-ent-cache-node-details.png → windows/deployment/do/images/mcc-ent-cache-node-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

0
windows/deployment/images/mcc-ent-cache-node-summary.png → windows/deployment/do/images/mcc-ent-cache-node-summary.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

0
windows/deployment/images/mcc-ent-key-metric-charts.png → windows/deployment/do/images/mcc-ent-key-metric-charts.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/deployment/do/images/mcc-ent-secure-content-delivery-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

23
windows/deployment/do/mcc-ent-create-resource-and-cache.md
View File

@ -11,7 +11,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ Supported Linux distributions - ✅ Supported Linux distributions
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a> - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 10/30/2024 ms.date: 03/19/2025
--- ---
# Create Microsoft Connected Cache Azure resource and cache nodes # Create Microsoft Connected Cache Azure resource and cache nodes
@ -20,7 +20,7 @@ This article outlines how to create and configure your Microsoft Connected Cache
## Prerequisites ## Prerequisites
1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a free-of-charge service hosted in Azure. You'll need a pay-as-you-go Azure subscription in order to onboard to our service. To create a subscription, go to [pay-as-you-go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). 1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a free-of-charge service hosted in Azure. You need a pay-as-you-go Azure subscription in order to onboard to our service. To create a subscription, go to [pay-as-you-go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/).
2. **Hardware to host Connected Cache**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. 2. **Hardware to host Connected Cache**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
For more information on sizing and OS requirements, see [the prerequisites for using Connected Cache](mcc-ent-prerequisites.md). For more information on sizing and OS requirements, see [the prerequisites for using Connected Cache](mcc-ent-prerequisites.md).
@ -28,6 +28,9 @@ For more information on sizing and OS requirements, see [the prerequisites for u
## Create Connected Cache Azure resource ## Create Connected Cache Azure resource
> [!Note]
> Resource move isn't currently supported for Connected Cache Azure resources. If you need to move your Connected Cache Azure resource, you can consider deleting the existing resource and creating another one in a different location.
# [Azure portal](#tab/portal) # [Azure portal](#tab/portal)
1. In the [Azure portal](https://portal.azure.com), select **Create a Resource** and search for `Microsoft Connected Cache for Enterprise and Education`. 1. In the [Azure portal](https://portal.azure.com), select **Create a Resource** and search for `Microsoft Connected Cache for Enterprise and Education`.
@ -56,7 +59,7 @@ For more information on sizing and OS requirements, see [the prerequisites for u
* Run [az version](/cli/azure/reference-index#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](/cli/azure/reference-index#az-upgrade). * Run [az version](/cli/azure/reference-index#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](/cli/azure/reference-index#az-upgrade).
* Install Azure CLI extension **mcc** by following the instructions [here](/cli/azure/azure-cli-extensions-overview#how-to-install-extensions). * Install Azure CLI extension `mcc` by following the instructions [here](/cli/azure/azure-cli-extensions-overview#how-to-install-extensions).
* Resource group under which a Connected Cache resource can be created. Use the [az group create](/cli/azure/group#az-group-create) command to create a new Resource group if you don't already have one. * Resource group under which a Connected Cache resource can be created. Use the [az group create](/cli/azure/group#az-group-create) command to create a new Resource group if you don't already have one.
@ -80,7 +83,7 @@ az mcc ent resource create --mcc-resource-name <mymccresource> --resource-group
1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise resource that you created.<br> 1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise resource that you created.<br>
1. Under Cache Node Management, select **Cache Nodes** then **Create Cache Node**.<br> 1. Under Cache Node Management, select **Cache Nodes** then **Create Cache Node**.<br>
1. Provide a name for your cache node and select the host OS you plan to deploy the cache node on, then select **Create**. Note, cache node names have to be unique under the Microsoft Connected Cache resource. 1. Provide a name for your cache node and select the host OS you plan to deploy the cache node on, then select **Create**. Note that cache node names have to be unique under the Microsoft Connected Cache resource.
<!-- <!--
:::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: :::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
--> -->
@ -111,7 +114,7 @@ az mcc ent node create --cache-node-name <mycachenode> --mcc-resource-name <mymc
>```azurecli-interactive >```azurecli-interactive
>az mcc ent node show --cache-node-name <mycachenode> --mcc-resource-name <mymccresource> --resource-group <myrg> >az mcc ent node show --cache-node-name <mycachenode> --mcc-resource-name <mymccresource> --resource-group <myrg>
>``` >```
>In the output look for **cacheNodeState**. If ***cacheNodeState = Not Configured***, you can continue with cache node configuration. >In the output, look for **cacheNodeState**. If ***cacheNodeState = Not Configured***, you can continue with cache node configuration.
>If ***cacheNodeState = Registration in Progress***, then the cache node is still in process of being created. Wait a couple of minutes and run the command again. >If ***cacheNodeState = Registration in Progress***, then the cache node is still in process of being created. Wait a couple of minutes and run the command again.
>To know more about different cache node state, see [Cache node states](#cache-node-states). >To know more about different cache node state, see [Cache node states](#cache-node-states).
@ -138,7 +141,7 @@ Replace the following placeholders with your own information:
* *\<size-in-gb>*: The size of cache drive. Must be at least 50 Gb. * *\<size-in-gb>*: The size of cache drive. Must be at least 50 Gb.
* *\<proxy>*: If proxy needs to be enabled or not.<br> * *\<proxy>*: If proxy needs to be enabled or not.<br>
Accepted values: `enabled`, `disabled`<br> Accepted values: `enabled`, `disabled`<br>
Proxy should be set to enabled if the cache node will need to pass through a network proxy to download content. The provided proxy will also be used during deployment of the Connected Cache cache node to your host machine. Proxy should be set to enabled if the cache node needs to pass through a network proxy to download content. The provided proxy will also be used during deployment of the Connected Cache cache node to your host machine.
* *\<proxy-host>*: The proxy host name or ip address. Required if proxy is set to enabled. * *\<proxy-host>*: The proxy host name or ip address. Required if proxy is set to enabled.
* *\<proxy-port>*: Proxy port number. Required if proxy is set to enabled. * *\<proxy-port>*: Proxy port number. Required if proxy is set to enabled.
* *\<auto-update-ring>*: Update ring the cache node should have.<br> * *\<auto-update-ring>*: Update ring the cache node should have.<br>
@ -171,7 +174,7 @@ Replace the following placeholders with your own information:
* *\<size-in-gb>*: The size of cache drive. Must be at least 50 Gb. * *\<size-in-gb>*: The size of cache drive. Must be at least 50 Gb.
* *\<proxy>*: If proxy needs to be enabled or not.<br> * *\<proxy>*: If proxy needs to be enabled or not.<br>
Accepted values: `enabled`, `disabled`<br> Accepted values: `enabled`, `disabled`<br>
Proxy should be set to enabled if the cache node will need to pass through a network proxy to download content. The provided proxy will also be used during deployment of the Connected Cache cache node to your host machine. Proxy should be set to enabled if the cache node needs to pass through a network proxy to download content. The provided proxy will also be used during deployment of the Connected Cache cache node to your host machine.
* *\<proxy-host>*: The proxy host name or ip address. Required if proxy is set to enabled. * *\<proxy-host>*: The proxy host name or ip address. Required if proxy is set to enabled.
* *\<proxy-port>*: Proxy port number. Required if proxy is set to enabled. * *\<proxy-port>*: Proxy port number. Required if proxy is set to enabled.
* *\<auto-update-ring>*: Update ring the cache node should have.<br> * *\<auto-update-ring>*: Update ring the cache node should have.<br>
@ -215,7 +218,7 @@ To deploy cache nodes using Azure CLI, see
| Field Name |Expected Value |Description| | Field Name |Expected Value |Description|
|---|---|---| |---|---|---|
|**Cache node name** | Alphanumeric string that contains no spaces| The name of the cache node. You may choose names based on location such as "Seattle-1". This name must be unique and can't be changed later | |**Cache node name** | Alphanumeric string that contains no spaces| The name of the cache node. You can choose names based on location such as "Seattle-1". This name must be unique and can't be changed later. |
|**Host OS** | Linux or Windows| This is the operating system of the host machine that the cache node will be deployed to.| |**Host OS** | Linux or Windows| This is the operating system of the host machine that the cache node will be deployed to.|
### Storage fields ### Storage fields
@ -240,12 +243,12 @@ To deploy cache nodes using Azure CLI, see
#### Proxy settings #### Proxy settings
<br> <br>
You can choose to enable or disable proxy settings on your cache node. Proxy should be set to enabled if the cache node will need to pass through a network proxy to download content. The provided proxy will also be used during deployment of the Connected Cache node to your host machine. You can choose to enable or disable proxy settings on your cache node. Proxy should be set to enabled if the cache node needs to pass through a network proxy to download content. The provided proxy will also be used during deployment of the Connected Cache node to your host machine.
<br> <br>
>[!IMPORTANT] >[!IMPORTANT]
>Enabling or disabling the proxy settings after your cache node has been deployed will require running the provisioning script on the host machine again. This will ensure that proxy changes are in effect on the cache node. >Enabling or disabling the proxy settings after your cache node has been deployed will require running the provisioning script on the host machine again. This ensures that proxy changes are in effect on the cache node.
| Field Name |Expected Value |Description| | Field Name |Expected Value |Description|
|---|---|---| |---|---|---|

6
windows/deployment/do/mcc-ent-deploy-to-linux.md
View File

@ -28,7 +28,7 @@ Before deploying Connected Cache to a Linux host machine, ensure that the host m
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package. 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
>[!Note] >[!Note]
>* If you are deploying your cache node to a Linux host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command. >* If you're deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and then add `proxytlscertificatepath="/path/to/pem/file"` to the provisioning command.
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute. 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Run the provisioning command on the host machine. 1. Run the provisioning command on the host machine.
@ -47,8 +47,8 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine. 1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine.
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package. 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
>[!Note] > [!Note]
>* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command. >* If you're deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and then add `proxytlscertificatepath="/path/to/pem/file"` to the provisioning command.
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute. 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Replace the values in the following provisioning command before running it on the host machine. 1. Replace the values in the following provisioning command before running it on the host machine.

4
windows/deployment/do/mcc-ent-edu-overview.md
View File

@ -89,8 +89,8 @@ The following diagram displays an overview of how Connected Cache functions:
1. The Microsoft Connected Cache container is deployed to the device using Azure IoT Edge container management services and the cache server begins reporting status and metrics to Delivery Optimization services. 1. The Microsoft Connected Cache container is deployed to the device using Azure IoT Edge container management services and the cache server begins reporting status and metrics to Delivery Optimization services.
1. The DOCacheHost setting is configured using Intune or other MDM, DHCP custom option, or registry key. 1. The DOCacheHost setting is configured using Intune or other MDM, DHCP custom option, or registry key.
1. Devices request content from the cache server, the cache server forwards the requests to the CDN and fills the cache, the cache server delivers the content requested to the devices, and uses Peer to Peer (depending on DO Download mode settings) for all DO content. 1. Devices request content from the cache server, the cache server forwards the requests to the CDN and fills the cache, the cache server delivers the content requested to the devices, and uses Peer to Peer (depending on DO Download mode settings) for all DO content.
1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server. 1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server. If the cache server fails to respond, the client downloads the content from the CDN. To delay this behavior, set the [DelayCacheServerFallbackForeground/DelayCacheServerFallbackBackground](/windows/deployment/do/waas-delivery-optimization-reference#delay-foreground-download-cache-server-fallback-in-secs) setting to avoid the immediate fallback. You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports.
You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports.
## Next steps ## Next steps

10
windows/deployment/do/mcc-ent-monitoring.md
View File

@ -11,7 +11,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ Supported Linux distributions - ✅ Supported Linux distributions
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a> - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 10/30/2024 ms.date: 03/19/2025
--- ---
# Monitor cache node usage # Monitor cache node usage
@ -30,7 +30,7 @@ Using the two monitoring sections, you can gather essential insights into the he
Below are the metrics found in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours. Below are the metrics found in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours.
![Screenshot of cache node summary in the Azure portal interface.](../images/mcc-ent-cache-node-summary.png) ![Screenshot of cache node summary in the Azure portal interface.](images/mcc-ent-cache-node-summary.png)
| Metric | Description | | Metric | Description |
| --- | --- | | --- | --- |
@ -46,7 +46,7 @@ Below are the metrics found in the **Cache Node Summary** dashboard, along with
The two predefined charts on the Overview page visually represent the egress and types of content served by your Connected Cache node. The filters that are displayed below the cache node summary dashboard only affect the data shown in the key metric charts. The two predefined charts on the Overview page visually represent the egress and types of content served by your Connected Cache node. The filters that are displayed below the cache node summary dashboard only affect the data shown in the key metric charts.
![Screenshot of key metric charts in the Azure portal interface.](../images/mcc-ent-key-metric-charts.png) ![Screenshot of key metric charts in the Azure portal interface.](images/mcc-ent-key-metric-charts.png)
#### Filters #### Filters
@ -67,9 +67,9 @@ The content types displayed in the chart each have a distinct color and are sort
### Cache node details ### Cache node details
The **Cache Nodes** section under the **Cache Node Management** tab displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID. The **Cache Nodes** section under the **Cache Node Management** tab displays cache node information such as status, host machine OS, software version, and cache node ID.
![Screenshot of cache node details in the Azure portal interface.](../images/mcc-ent-cache-node-details.png) ![Screenshot of cache node details in the Azure portal interface.](images/mcc-ent-cache-node-details.png)
| Metric | Description | | Metric | Description |
| --- | --- | | --- | --- |

91
windows/deployment/do/mcc-ent-secure-content-delivery.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Microsoft Connected Cache for Enterprise and Education Secure Content Delivery
description: Details on how Microsoft Connected Cache for Enterprise and Education securely delivers content to requesting Delivery Optimization clients.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: article
author: chrisjlin
ms.author: lichris
manager: naengler
ms.reviewer: mstewart
ms.collection:
- tier3
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ Supported Linux distributions
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 03/19/2025
---
# Microsoft Connected Cache for Enterprise and Education Secure Content Delivery
This article describes how Connected Cache nodes facilitate secure delivery of Microsoft content between Microsoft/CDN endpoints and Delivery Optimization clients.
## How Connected Cache nodes facilitate secure content delivery
Connected Cache nodes act as transparent content caches, meaning any device can request Microsoft content from a Connected Cache node without needing to provide authentication of identity. This allows for efficient discovery and connectivity between devices and Connected Cache nodes on the same network.
Connected Cache nodes only download and store Microsoft content from provisioned Microsoft and Content Delivery Network (CDN) endpoints, so there are no concerns about the cache storing personal or sensitive data.
Connected Cache works in tandem with the [Delivery Optimization (DO) client](waas-delivery-optimization.md), a component of Windows that manages the downloading of Microsoft content. Regardless of download source, the DO client on each Windows device verifies the authenticity and integrity of downloaded content using its metadata hash and content hash. In addition, the downloaded content's signature is verified before it's installed. This process ensures that the Windows device is protected against man-in-the-middle attacks that attempt to tamper with content while it's in transit.
![Diagram of content delivery between CDN, cache node, and DO client](images/mcc-ent-secure-content-delivery-diagram.png)
As shown in the diagram, Connected Cache nodes currently utilize HTTP to communicate with CDN endpoints and Delivery Optimization clients. There's work planned to support HTTPS communication between CDN endpoints, Connected Cache nodes, and Delivery Optimization clients in the future for content that utilizes HTTPS.
## Security considerations for Connected Cache nodes
The security of each Connected Cache node is dependent on the security of its environment.
In order to securely function as designed, Connected Cache expects the user to take steps to secure the different components of their organization's network and devices.
The following section is intended to provide a high-level overview of some of the security aspects the user should consider and resources for learning more.
### Azure resources
One aspect of security lies with the Azure resources that your Microsoft Connected Cache nodes communicate with. You should ensure that your organization's Azure tenant is using role-based access control (RBAC) to apply policies that enforce least-privilege access to the Azure resources for Connected Cache that you provision. Only trusted individuals should have the ability to perform create, read, update, and delete (CRUD) operations on your organization's Connected Cache Azure resources and cache nodes.
You can learn more about the principles of Azure resource security by referring to the [Azure identity management and access control security best practices](/azure/security/fundamentals/identity-management-best-practices) and the [Microsoft cloud security benchmark (MCSB) documentation for Identity management](/security/benchmark/azure/mcsb-identity-management).
### Local network
Another aspect of security lies with your organization's local network. It's recommended that your organization adopts a Zero Trust approach to network security so that your organizational data is protected even if an attacker breaches your network perimeter.
One best practice is to utilize a firewall on your organization's network. When using a network firewall, you should configure it to allow communication between your Connected Cache nodes and the [Microsoft and CDN endpoints](delivery-optimization-endpoints.md) used to install Connected Cache and download Microsoft content.
You can learn more about the principles of network security by referring to the [Azure best practices for network security](/azure/security/fundamentals/network-best-practices) and the [Microsoft cloud security benchmark (MCSB) documentation for Network security](/security/benchmark/azure/mcsb-network-security).
### Cache node host machine OS
Another aspect of security lies with the operating system (OS) of your Connected Cache node's host machine. Your organization can choose to host Microsoft Connected Cache nodes on a [compatible host OS](mcc-ent-prerequisites.md#cache-node-host-machine-requirements) of your choice.
Regardless of which host OS you choose to use, you should ensure that you perform regular OS updates to keep it up to date.
If you're hosting on Windows, your host machine uses Windows Subsystem for Linux (WSL) to run the Connected Cache container. You should ensure that your deployment of WSL meets the [recommended Enterprise set up for WSL](/windows/wsl/enterprise).
### Organization-managed Windows devices
Another aspect of security lies with the organization-managed Windows devices that request Microsoft content from your Connected Cache nodes. The Windows devices that are connecting to the Connected Cache node should be secured according to your organization's security policy.
## Frequently asked questions
Here are some common questions you might have about the security of Microsoft Connected Cache for Enterprise and Education.
### How often is the Connected Cache container updated?
There might be several Connected Cache container updates per year. These updates may contain new features, bug fixes, and security patches. When a new Common Vulnerability and Exposure (CVE) is identified, Microsoft may release a new container update to address the vulnerability.
For more information about Connected Cache container updates and how to schedule their installation, see [Update Microsoft Connected Cache for Enterprise and Education](mcc-ent-update-cache-node.md).
### What security improvements are included in the latest Connected Cache container update?
You can find a list of security improvements and other fixes in the [Connected Cache release notes](mcc-ent-release-notes.md).
## Related content
- [Understand Windows Update security](/windows/deployment/update/windows-update-security)
- [Understand the Delivery Optimization secure workflow](delivery-optimization-workflow.md#download-request-workflow)
- [Understand delivery of Win32 apps via Intune](/troubleshoot/mem/intune/app-management/develop-deliver-working-win32-app-via-intune#the-flow-behind-delivery-of-a-win32-app-to-the-client)
- [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool)

2
windows/deployment/do/mcc-ent-troubleshooting.md
View File

@ -38,7 +38,7 @@ As a temporary workaround, the above error doesn't occur by changing the languag
[Connected Cache Azure resource creation](mcc-ent-create-resource-and-cache.md) can be initiated using either the Azure portal user interface or the Azure CLI command set. [Connected Cache Azure resource creation](mcc-ent-create-resource-and-cache.md) can be initiated using either the Azure portal user interface or the Azure CLI command set.
If you're encountering an error during resource creation, check that you have the necessary permissions to create Azure resources under your subscription and have filled out all required fields during the resource creation process. If you're encountering an error during resource creation, [check that you have the necessary permissions to create Azure resources under your subscription](/azure/role-based-access-control/check-access) and have filled out all required fields during the resource creation process.
## Troubleshooting cache node configuration ## Troubleshooting cache node configuration

23
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -17,7 +17,7 @@ metadata:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a> - ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a> - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 02/27/2025 ms.date: 04/14/2025
title: Frequently Asked Questions about Delivery Optimization title: Frequently Asked Questions about Delivery Optimization
summary: | summary: |
This article answers frequently asked questions about Delivery Optimization. This article answers frequently asked questions about Delivery Optimization.
@ -30,6 +30,8 @@ summary: |
- [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected) - [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected)
- [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization) - [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization)
- [My download is failing with error code 0x80d03002, how do I fix it?](#my-download-is-failing-with-error-code-0x80d03002--how-do-i-fix-it) - [My download is failing with error code 0x80d03002, how do I fix it?](#my-download-is-failing-with-error-code-0x80d03002--how-do-i-fix-it)
- [What do the Delivery Optimization error codes mean?](#what-do-the-delivery-optimization-error-codes-mean)
- [How does Delivery Optimization measure and throttle download bandwidth?](#how-does-delivery-optimization-measure-and-throttle-download-bandwidth)
**Network related configuration questions**: **Network related configuration questions**:
@ -74,12 +76,24 @@ sections:
> [!NOTE] > [!NOTE]
> Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization. > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
- question: My download is failing with error code 0x80d03002, how do I fix it? - question: My download is failing with error code 0x80d03002, how do I fix it?
answer: | answer: |
If you set the DownloadMode policy to '100' (Bypass) some content downloads that require Delivery Optimization may fail with error code 0x80d03002. If you set the DownloadMode policy to '100' (Bypass) some content downloads that require Delivery Optimization may fail with error code 0x80d03002.
If you intend to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access. If you intend to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated. Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
- question: What do the Delivery Optimization error codes mean?
answer: |
For a list of common Delivery Optimization error codes, visit the [Delivery Optimization Troubleshooter](http://aka.ms/do-fix). This resource provides descriptions of various error codes. Using the Delivery Optimization Troubleshooter can help you identify and resolve issues with Delivery Optimization, providing configuration values and other useful information to help address problems effectively.
- question: How does Delivery Optimization measure and throttle download bandwidth?
answer: |
By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive, foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers. The target download speed measures the download throughput available to the source, not only the local network card. A speed test is performed dynamically every few minutes during a download, so it can adjust to congestion on the network.
Throttling will apply only to downloads from the internet which include the HTTP source and Group peers. To make changes to the default behavior, use the settings from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) to change these values. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies.
For more information, see [Bandwidth throttle options](delivery-optimization-configure.md#bandwidth-throttling-options).
> [!NOTE]
> For LAN peers, neither the target download speed is calculated nor is throttling applied.
- name: Network related configuration questions - name: Network related configuration questions
questions: questions:
@ -139,7 +153,7 @@ sections:
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
- question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
answer: | answer: |
Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT (server-side LEDBAT) and rLEDBAT (receiver-side LEDBAT) to relieve such congestion. In Delivery Optimization, LEDBAT is specifically used for P2P connections, while rLEDBAT is utilized for HTTP and Connected Cache connections, particularly for background downloads. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
- question: How does Delivery Optimization handle VPNs? - question: How does Delivery Optimization handle VPNs?
answer: | answer: |
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
@ -169,7 +183,7 @@ sections:
For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
- question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
answer: | answer: |
Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses (defined by RFC 1918). If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
> [!NOTE] > [!NOTE]
> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
@ -185,4 +199,3 @@ sections:
1. In the search box on the taskbar, type **Disk Cleanup**, and then select it from the list of results. 1. In the search box on the taskbar, type **Disk Cleanup**, and then select it from the list of results.
1. On the **Disk Cleanup** tab, select the **Delivery Optimization Files** check box. 1. On the **Disk Cleanup** tab, select the **Delivery Optimization Files** check box.
1. Select **OK**. On the dialog that appears, select **Delete Files**. 1. Select **OK**. On the dialog that appears, select **Delete Files**.

6
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -14,7 +14,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a> - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 10/15/2024 ms.date: 04/15/2025
--- ---
# Delivery Optimization reference # Delivery Optimization reference
@ -329,12 +329,14 @@ This policy allows you to specify how your client(s) can discover Delivery Optim
- 1 = DHCP Option 235. - 1 = DHCP Option 235.
- 2 = DHCP Option 235 Force. - 2 = DHCP Option 235 Force.
With either option, the client queries DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured. **By default, this policy has no value.** With either option, the client queries DHCP Option ID 235 and uses the returned value as the Cache Server Hostname. If [DOCacheHost](#cache-server-hostname) policy is also configured, then DHCP Option 235 Force (2) is required to override it. **By default, this policy has no value.**
Configure this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your DHCP server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas. Configure this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your DHCP server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
> [!NOTE] > [!NOTE]
> If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been configured. > If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been configured.
>
> If the [LocalPolicyMerge](/windows/security/operating-system-security/network-security/windows-firewall/rules#local-policy-merge-and-application-rules) setting is configured, such as part of security baselines, it can impact DHCP client and prevent it from retrieving this DHCP option, especially in Autopilot scenarios.
### Maximum foreground download bandwidth (in KB/s) ### Maximum foreground download bandwidth (in KB/s)

9
windows/deployment/do/waas-delivery-optimization.md
View File

@ -15,7 +15,7 @@ ms.localizationpriority: medium
appliesto: appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 05/23/2024 ms.date: 04/03/2025
--- ---
# What is Delivery Optimization? # What is Delivery Optimization?
@ -26,7 +26,7 @@ Windows updates, upgrades, and applications can contain packages with large file
To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the client connects to Connected Cache and peers in parallel. If the desired content can't be obtained from Connected Cache or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content. To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the client connects to Connected Cache and peers in parallel. If the desired content can't be obtained from Connected Cache or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content.
You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled). You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update client policies, or Microsoft Configuration Manager (when installation of Express Updates is enabled).
For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](delivery-optimization-configure.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](delivery-optimization-configure.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
@ -47,9 +47,6 @@ The following table lists the minimum Windows 10 version that supports Delivery
#### Windows Client #### Windows Client
> [!NOTE]
> Starting March 4, 2025, Edge Browser updates will temporarily not utilize Delivery Optimization for downloads. We are actively working to resolve this issue.
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache | | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache |
|------------------|---------------|----------------|----------|----------------| |------------------|---------------|----------------|----------|----------------|
| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@ -58,7 +55,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Edge Browser Updates | Windows 10 1809, Windows 11 | | | | | Edge Browser Updates | Windows 10 1809, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Configuration Manager Express updates| Windows 10 1709 + Configuration Manager version 1711, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Configuration Manager Express updates| Windows 10 1709 + Configuration Manager version 1711, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Dynamic updates| Windows 10 1903, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Dynamic updates| Windows 10 1903, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| MDM Agent | Windows 11 | :heavy_check_mark: | | | | MDM Agent | Windows 11 | :heavy_check_mark: | | |

10
windows/deployment/do/waas-optimize-windows-10-updates.md
View File

@ -26,7 +26,7 @@ Two methods of peer-to-peer content distribution are available.
- [Delivery Optimization](waas-delivery-optimization.md) is a peer-to-peer distribution method in Windows. Windows clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests. - [Delivery Optimization](waas-delivery-optimization.md) is a peer-to-peer distribution method in Windows. Windows clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests.
Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources and the time it takes for clients to retrieve the updates. Windows Update, Windows Update client policies, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources and the time it takes for clients to retrieve the updates.
- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, and in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. - [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, and in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
@ -37,7 +37,7 @@ Two methods of peer-to-peer content distribution are available.
<br/><br/> <br/><br/>
| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager | | Method | Windows Update | Windows Update client policies | WSUS | Configuration Manager |
| --- | --- | --- | --- | --- | | --- | --- | --- | --- | --- |
| Delivery Optimization | Yes | Yes | Yes | Yes | | Delivery Optimization | Yes | Yes | Yes | Yes |
| BranchCache | No | No |Yes | Yes | | BranchCache | No | No |Yes | Yes |
@ -52,7 +52,7 @@ Two methods of peer-to-peer content distribution are available.
Windows client quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. Windows client quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
> [!NOTE] > [!NOTE]
> Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. > Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update client policies.
### How Microsoft supports Express ### How Microsoft supports Express
@ -61,7 +61,7 @@ Windows client quality update downloads can be large because every package conta
Express update delivery is available on [all support versions of WSUS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708456(v=ws.10)). Express update delivery is available on [all support versions of WSUS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708456(v=ws.10)).
- **Express on devices directly connected to Windows Update** - **Express on devices directly connected to Windows Update**
- **Enterprise devices managed using [Windows Update for Business](../update/waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration. - **Enterprise devices managed using [Windows Update client policies](../update/waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
### How Express download works ### How Express download works
@ -95,4 +95,4 @@ At this point, the download is complete and the update is ready to be installed.
| ✅ | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) | | ✅ | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
| ✅| [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) | | ✅| [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
| ✅ | Optimize update delivery for Windows 10 updates (this article) | | ✅ | Optimize update delivery for Windows 10 updates (this article) |
| | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)<br/>or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)<br/>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | | | [Deploy updates using Windows Update client policies](../update/waas-manage-updates-wufb.md)<br/>or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)<br/>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |

8
windows/deployment/index.yml
View File

@ -45,7 +45,7 @@ landingContent:
url: /windows/whats-new/windows-11-prepare?context=/windows/deployment/context/context url: /windows/whats-new/windows-11-prepare?context=/windows/deployment/context/context
- text: Prepare to deploy Windows updates - text: Prepare to deploy Windows updates
url: update/prepare-deploy-windows.md url: update/prepare-deploy-windows.md
- text: Prepare for Windows Update for Business - text: Prepare for Windows Update client policies
url: update/waas-manage-updates-wufb.md url: update/waas-manage-updates-wufb.md
- text: Evaluate and update infrastructure - text: Evaluate and update infrastructure
url: update/update-policies.md url: update/update-policies.md
@ -91,13 +91,13 @@ landingContent:
- text: See more > - text: See more >
url: windows-autopatch/index.yml url: windows-autopatch/index.yml
- title: Use Windows Update for Business - title: Use Windows Update client policies
linkLists: linkLists:
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: What is Windows Update for Business? - text: What are Windows Update client policies?
url: update/waas-manage-updates-wufb.md url: update/waas-manage-updates-wufb.md
- text: Configure Windows Update for Business - text: Configure Windows Update client policies
url: update/waas-configure-wufb.md url: update/waas-configure-wufb.md
- text: Windows Update for Business reports overview - text: Windows Update for Business reports overview
url: update/wufb-reports-overview.md url: update/wufb-reports-overview.md

32
windows/deployment/mbr-to-gpt.md
View File

@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.service: windows-client ms.service: windows-client
author: frankroj author: frankroj
ms.author: frankroj ms.author: frankroj
ms.date: 11/26/2024 ms.date: 04/08/2024
manager: aaroncz manager: aaroncz
ms.localizationpriority: high ms.localizationpriority: high
ms.topic: how-to ms.topic: how-to
@ -19,9 +19,11 @@ appliesto:
# MBR2GPT.EXE # MBR2GPT.EXE
**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option. > [!IMPORTANT]
>
> **MBR2GPT.EXE** is located in the **`Windows\System32`** directory on any device running a [currently supported version of Windows](/windows/release-health/supported-versions-windows-client).
**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows. **MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option.
The tool is available in both the full OS environment and Windows PE. The tool is available in both the full OS environment and Windows PE.
@ -451,22 +453,22 @@ The partition type can be determined with the DiskPart tool. The DiskPart tool i
1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column is blank. 1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column is blank.
The following shows an example output of the DiskPart tool showing the partition type for two disks: The following shows an example output of the DiskPart tool showing the partition type for two disks:
```cmd ```cmd
X:\>DiskPart.exe X:\>DiskPart.exe
Microsoft DiskPart version 10.0.15048.0 Microsoft DiskPart version 10.0.15048.0
Copyright (C) Microsoft Corporation. Copyright (C) Microsoft Corporation.
On computer: MININT-K71F13N On computer: MININT-K71F13N
DISKPART> list disk DISKPART> list disk
Disk ### Status Size Free Dyn Gpt Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- --- -------- ------------- ------- ------- --- ---
Disk 0 Online 238 GB 0 B Disk 0 Online 238 GB 0 B
Disk 1 Online 931 GB 0 B * Disk 1 Online 931 GB 0 B *
``` ```
In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.

2
windows/deployment/update/create-deployment-plan.md
View File

@ -73,7 +73,7 @@ During your plan and preparation phases, you should focus on the following activ
Remember, you're working with pre-release software in the Preview ring and you'll be evaluating features and testing the update for a targeted release. Remember, you're working with pre-release software in the Preview ring and you'll be evaluating features and testing the update for a targeted release.
> [!IMPORTANT] > [!IMPORTANT]
> If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds: > If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update client policies, be sure to set the following policies to allow for Preview builds:
> - **Manage Preview Builds: 2 - Enable preview builds** > - **Manage Preview Builds: 2 - Enable preview builds**
> • Under **Branch Readiness Level**, select **When Preview Builds and Feature Updates are Received: 4--Windows Insider Program Slow** > • Under **Branch Readiness Level**, select **When Preview Builds and Feature Updates are Received: 4--Windows Insider Program Slow**

2
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -49,7 +49,7 @@ The first step of controlling when and how devices install updates is assigning
### General Availability Channel ### General Availability Channel
In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel installs a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release. In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel installs a feature update as soon as it's released. If you use Windows Update client policies, the channel provides three months of additional total deployment time before being required to update to the next release.
### Windows Insider Program for Business ### Windows Insider Program for Business

2
windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
<!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context. --> <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context. -->
Accessing Windows Update for Business reports typcially requires permissions from multiple sources including: Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
- [Microsoft Entra ID](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports - [Microsoft Entra ID](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update client policies through Microsoft Graph API, such as enrolling into reports
- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace - [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Microsoft Entra roles access to sign in - [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Microsoft Entra roles access to sign in

125
windows/deployment/update/includes/wufb-restart-notifications-compliance-deadlines.md Normal file
View File

@ -0,0 +1,125 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
ms.date: 03/18/2025
ms.localizationpriority: medium
---
<!--This file is shared by update/wufb-compliancedeadlines.md. It may be added to /update/waas-wufb-csp-mdm.md, /update/waas-wufb-group-policy.md, and /update/waas-restart.md articles later. Headings are driven by article context. Updated with 9091858 -->
These deadline policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline passes. At that point, the device automatically schedules a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose, and what operating system version their device is running. Generally, the user notifications become more noticeable as the deadline approaches. The experience described is the default and assumes there's ample time for notifications before the [effective deadline](../wufb-compliancedeadlines.md) occurs. The description doesn't account for changes to the **Display options for update notifications** policy ([Update/NoUpdateNotificationsDuringActiveHours](/windows/client-management/mdm/policy-csp-update#noupdatenotificationsduringactivehours)) or other settings that would significantly change the experience.
# [Windows 11, version 23H2 and later](#tab/w11-23h2-notifications)
The following notifications are what the user sees on Windows 11, version 23H2 and later, depending on the settings chosen by the user and the IT administrator:
When **Specify deadlines for automatic updates and restarts** is set:
While restart is pending, before the deadline occurs, users receive a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.
- If the user set [the option](../waas-wufb-csp-mdm.md#user-settings-for-notifications) **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating** to **On**, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare.
- If the user set **Notify me when a restart is required to finish updating** to **Off** (default), they receive a toast notification that a restart is required 24 hours after the device enters a restart pending state for updates.
:::image type="content" source="../media/9091858-11-initial-toast.png" alt-text="Screenshot of the initial toast notification displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but isn't past the deadline." lightbox="../media/9091858-initial-toast.png":::
Depending on settings both users and admins configure, toast notification may occur occasionally before the day of the deadline to remind the user of the update. During this time, if they're allowed, automatic restarts might be scheduled after active hours.
- If an automatic restart is scheduled or the user scheduled the restart, and the user is signed in at that time, they receive a notification 15 minutes before the scheduled time.
:::image type="content" source="../media/9091858-11-pre-deadline-restart-imminent.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification" lightbox="../media/9091858-pre-deadline-restart-imminent.png":::
As the device approaches the deadline time, a notification displays in the middle of the screen that contains the deadline time and options to restart now or acknowledge the notification.
:::image type="content" source="../media/9091858-11-dialog-18-hours.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification." lightbox="../media/9091858-11-dialog-18-hours.png":::
15 minutes before the deadline, a notification displays in the middle of the screen notifying the user that a restart is going to occur. Users can either confirm the restart, reschedule, or choose to restart now.
:::image type="content" source="../media/9091858-11-pre-deadline-restart-imminent.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification" lightbox="../media/9091858-pre-deadline-restart-imminent.png":::
In cases where a user scheduled restart fails but there's still more time before the deadline is reached, the user receives a notification to either restart now or to reschedule the restart.
:::image type="content" source="../media/9091858-11-scheduled-restart-failed.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user if their scheduled restart fails. The notification contains the options to restart now or to reschedule the restart." lightbox="../media/9091858-11-scheduled-restart-failed.png":::
In cases where the deadline has passed, the user receives a notification that a restart is required. The only options a user can select is to restart now or confirm. The user has 15 minutes to select restart before the device is forced to restart.
:::image type="content" source="../media/9091858-11-fifteen-minutes-restart.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user if their scheduled restart fails and the deadline is passed. The notification contains the options to restart now or to reschedule the restart." lightbox="../media/9091858-11-fifteen-minutes-restart.png":::
In cases where the deadline has passed and the restart failed, the user receives a notification that a restart is required. If the device is plugged in, it will attempt to restart every 5 minutes until the device successfully restarts. The user has 5 minutes to restart before the device is forced to restart.
:::image type="content" source="../media/9091858-11-past-deadline-restart-failed.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user if their scheduled restart fails and it's past the deadline. The user has 5 minutes to select restart before the device is forced to restart." lightbox="../media/9091858-11-past-deadline-restart-failed.png":::
# [Windows 11, version 22H2 and earlier](#tab/w11-22h2-notifications)
The following notifications are what the user sees on Windows 11, version 22H2 and earlier, depending on the settings chosen by the user and the IT administrator:
When **Specify deadlines for automatic updates and restarts** is set:
For the first few days, the user receives a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.
- If the device is Windows 11, version 22H2 and the user set [the option](../waas-wufb-csp-mdm.md#user-settings-for-notifications) **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating** to **On**, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare.
- If the device is Windows 11, version 22H2 and the user set **Notify me when a restart is required to finish updating** to **Off** (default), they receive a toast notification that a restart is required 24 hours after the device enters a reboot pending state for updates.
:::image type="content" source="../media/9091858-11-initial-toast.png" alt-text="Screenshot of the initial toast notification displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but isn't past the deadline." lightbox="../media/9091858-initial-toast.png":::
Depending on settings both users and admins configure, notifications display in the middle of the screen as the deadline gets closer.
- If there's still time for an automatic restart to occur after active hours, the dialog displays an option to let the device restart later along with options to restart now or to pick a time to schedule a restart.
- If there's not time for an automatic restart to occur after active hours, the dialog displays options to pick a time to schedule a restart, restart now, or remind the user later.
During this time before the deadline is reached, if they're allowed, automatic restarts might be scheduled after active hours. If an automatic restart is scheduled or the user scheduled the restart, and the user is signed in at that time, they receive a notification 15 minutes before the scheduled time.
:::image type="content" source="../media/9091858-11-pre-deadline-restart-imminent.png" alt-text="Screenshot of the dialog displayed for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now, schedule a restart, or acknowledge the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-11-pre-deadline-restart-imminent.png":::
The day of the deadline, a notification displays that contains the deadline time and options to restart now or acknowledge the notification.
:::image type="content" source="../media/9091858-11-dialog-18-hours.png" alt-text="Screenshot of the dialog displayed for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-11-dialog-18-hours.png":::
If the restart is still pending once the deadline passes, a notification displays in the middle of the screen notifying the user that a restart is going to occur. Users can either confirm the restart or choose to restart now.
:::image type="content" source="../media/9091858-11-fifteen-minutes-restart.png" alt-text="Screenshot of the dialog displayed for a user 15 minutes before a restart is forced due to a deadline. The notification contains the options to restart now or confirm the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-11-fifteen-minutes-restart.png":::
In cases where a user scheduled restart fails but there's still more time before the deadline is reached, the user receives a notification to either restart now or to reschedule the restart.
:::image type="content" source="../media/9091858-11-scheduled-restart-failed.png" alt-text="Screenshot of the dialog displayed for a user if their scheduled restart fails. The notification contains the options to restart now or to reschedule the restart. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-11-scheduled-restart-failed.png":::
In cases where the deadline has passed and the restart failed, the user receives a notification that a restart is required. The user has 5 minutes to restart before the device is forced to restart.
:::image type="content" source="../media/9091858-11-past-deadline-restart-failed.png" alt-text="Screenshot of the dialog displayed for a user if their scheduled restart fails and it's past the deadline. The user has 5 minutes to select restart before the device is forced to restart." lightbox="../media/9091858-11-past-deadline-restart-failed.png":::
# [Windows 10, version 22H2](#tab/w10-22h2-notifications)
These notifications are what the user sees on Windows 10, depending on the settings chosen by the user and the IT administrator:
When **Specify deadlines for automatic updates and restarts** is set (For Windows 10, version 1709 and later):
- **While restart is pending, before the deadline occurs:**
- For the first few days, the user receives a toast notification
:::image type="content" source="../media/9091858-initial-toast.png" alt-text="Screenshot of the initial Windows 10 toast notification displayed for a user when a restart is needed for an update but the deadline isn't reached yet. This notification is displayed for Windows 11, version 22H2, and earlier devices. " lightbox="../media/9091858-initial-toast.png":::
- After this period, the user receives this dialog:
:::image type="content" source="../media/9091858-dialog-18-hours.png" alt-text="Screenshot of the Windows 10 notification displayed for a user when a restart is needed for an update and there's still time for an automatic restart to occur." lightbox="../media/9091858-dialog-18-hours.png":::
- If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user receives this notification that the restart is about to occur:
:::image type="content" source="../media/9091858-pre-deadline-restart-imminent.png" alt-text="Screenshot of the Windows 10 dialog displayed for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now, schedule a restart, or acknowledge the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-pre-deadline-restart-imminent.png":::
- **If the restart is still pending after the deadline passes:**
- Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
:::image type="content" source="../media/9091858-initial-deadline-day-dialog.png" alt-text="Screenshot of the Windows 10 dialog displayed for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-initial-deadline-day-dialog.png":::
- Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
:::image type="content" source="../media/9091858-scheduled-restart-failed-22h2.png" alt-text="Screenshot of the Windows 10 dialog displayed for a user if their scheduled restart fails. The notification contains the options to restart now or to reschedule the restart. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-scheduled-restart-failed-22h2.png":::
---

2
windows/deployment/update/media-dynamic-update.md
View File

@ -20,7 +20,7 @@ ms.date: 1/31/2024
This article explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process. This article explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process. Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update client policies, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
## Dynamic Update ## Dynamic Update

BIN
windows/deployment/update/media/9091858-11-dialog-18-hours.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 106 KiB

BIN
windows/deployment/update/media/9091858-11-fifteen-minutes-restart.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/deployment/update/media/9091858-11-initial-toast.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 128 KiB

BIN
windows/deployment/update/media/9091858-11-past-deadline-restart-failed.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 152 KiB

Some files were not shown because too many files have changed in this diff Show More