+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
- 
- 
- 
- 
- 
+ 
+ 
+ 
+ 
+
+
Microsoft 365 Business
-Microsoft 365 Business is designed for small- to medium-sized businesses with up to 300 users and integrates Office 365 Business Premium with tailored security and management features from Windows 10, and Enterprise Mobility + Security.
+Microsoft 365 Business is a new solution designed for small and midsize businesses (SMB), bringing together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data.
+
+ +
Microsoft 365 Education
+Microsoft 365 Education empowers educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education.
In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device.
[Get more info](add-profile-to-devices.md)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +|  |**Request an app**
People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.
[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#request-apps)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +|  |**My organization**
**My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account.
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +|  |**Manage prepaid Office 365 subscriptions**
Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date.
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +|  |**Manage Office 365 subscriptions acquired by partners**
Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions.
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +|  |**Edge extensions in Microsoft Store**
Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app.
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +|  |**Search results in Microsoft Store for Business**
Search results now have sub categories to help you refine search results.
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | + + \ No newline at end of file diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 1c683c1be0..87dc16ae0e 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -49,7 +49,7 @@ Admins need to invite developer or ISVs to become an LOB publisher. **To invite a developer to become an LOB publisher** -1. Sign in to the [Windows Store for Business]( https://go.microsoft.com/fwlink/p/?LinkId=623531). +1. Sign in to the [Microsoft Store for Business]( https://go.microsoft.com/fwlink/p/?LinkId=623531). 2. Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**. 3. On the Line-of business publishers page, click **Invite** to send an email invitation to a developer. >[!Note] @@ -98,7 +98,7 @@ After an ISV submits the LOB app for your company or school, someone with Micros After you add the app to your inventory, you can choose how to distribute the app. For more information, see: -- [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) +- [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) - [Distribute apps from your private store](distribute-apps-from-your-private-store.md) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 51d3af12b8..084999e656 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -25,7 +25,7 @@ ms.date: 09/08/2017 >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 59a9bb791e..68f001e2f3 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -71,6 +71,23 @@ The table shows the minimum requirements for each deployment. ## Frequently Asked Questions +### What is the user experience for Windows Hello for Business? +The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment. + +> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM] + + + +> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso] + +### What happens when my user forgets their PIN? + +If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider. + +> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI] + +For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. + ### Do I need Windows Server 2016 domain controllers? There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md index 52c93015e2..bd3429561c 100644 --- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md @@ -314,4 +314,6 @@ If you want to use Windows Hello for Business with certificates, you’ll need a - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 54739d877a..1e51ed414b 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -160,9 +160,9 @@ If your organization does not have cloud resources, write **On-Premises** in box Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. -One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end enetity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). +One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust tyoes issues certificates, there is more configuration and infrastrucutre needed to accomodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificatat-trust deployements includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accomodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployements includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. @@ -320,4 +320,4 @@ If boxes **2a** or **2b** read **modern management** and you want devices to aut ## Congratulations, You’re Done -Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you’ll be able to identify key elements of your Windows Hello for Business deployment. \ No newline at end of file +Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you’ll be able to identify key elements of your Windows Hello for Business deployment. diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md index d3f89032e3..1d95c44fb4 100644 --- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -107,4 +107,6 @@ If you only had a biometric sign-in configured and, for any reason, were unable - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). \ No newline at end of file diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 47ca379543..2d55ec35a7 100644 --- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,7 +1,6 @@ --- title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10) -description: Windows Defender Firewall with Advanced Security -Design Guide +description: Windows Defender Firewall with Advanced Security Design Guide ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 6b96cc2abc..35f3b14372 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -1,5 +1,6 @@ # [Manage applications in Windows 10](index.md) ## [Sideload apps](sideload-apps-in-windows-10.md) +## [Remove background task resource restrictions](enterprise-background-activity-controls.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) @@ -101,5 +102,7 @@ #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md) ## [Service Host process refactoring](svchost-service-refactoring.md) ## [Per-user services in Windows](per-user-services-in-windows.md) +## [Disabling System Services in Windows Server](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) +## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) ## [Change history for Application management](change-history-for-application-management.md) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md new file mode 100644 index 0000000000..215e71f9f0 --- /dev/null +++ b/windows/application-management/apps-in-windows-10.md @@ -0,0 +1,153 @@ +--- +title: Windows 10 - Apps +description: What are Windows, UWP, and Win32 apps +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: elizapo +author: lizap +ms.localizationpriority: low +ms.date: 09/15/2017 +--- +# Understand the different apps included in Windows 10 + +The following types of apps run on Windows 10: +- Windows apps - introduced in Windows 8, primarily installed from the Store app. +- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. +- "Win32" apps - traditional Windows applications, built for 32-bit systems. + +Digging into the Windows apps, there are two categories: +- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS. +- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps: + - Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in. + - Installed: Installed as part of the OS. + +The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1511, 1607, and 1703, and indicate whether an app can be uninstalled through the UI. + +Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. + +> [!TIP] +> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet: +> ```powershell +> Get-AppxPackage |Select Name,PackageFamilyName +> Get-AppsProvisionedPackage -Online | select DisplayName,PackageName +> ``` + + +## System apps +System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1511, 1607, and 1703. + +| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? | +|------------------|-------------------------------------------|------|------|------|--------------------------------------------------------| +| Cortana UI | CortanaListenUIApp | | | x | No | +| | Desktop Learning | | | x | No | +| | DesktopView | | | x | No | +| | EnvironmentsApp | | | x | No | +| Mixed Reality + | HoloCamera | | | x | No | +| Mixed Reality + | HoloItemPlayerApp | | | x | No | +| Mixed Reality + | HoloShell | | | x | No | +| | Microsoft.AAD.Broker.Plugin | x | x | x | No | +| | Microsoft.AccountsControl | x | x | x | No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | +| | Microsoft.CredDialogHost | | | x | No | +| | Microsoft.LockApp | x | x | x | No | +| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x | No | +| | Microsoft.PPIProjection | | x | x | No | +| | Microsoft.Windows. Apprep.ChxApp | | x | x | No | +| | Microsoft.Windows. AssignedAccessLockApp | x | x | x | No | +| | Microsoft.Windows. CloudExperienceHost | x | x | x | No | +| | Microsoft.Windows. ContentDeliveryManager | x | x | x | No | +| Cortana | Microsoft.Windows.Cortana | x | x | x | No | +| | Microsoft.Windows. Holographic.FirstRun | | | x | No | +| | Microsoft.Windows. ModalSharePickerHost | | | x | No | +| | Microsoft.Windows. OOBENetworkCaptivePort | | | x | No | +| | Microsoft.Windows. OOBENetworkConnection | | | x | No | +| | Microsoft.Windows. ParentalControls | x | x | x | No | +| | Microsoft.Windows. SecHealthUI | | | x | No | +| | Microsoft.Windows. SecondaryTileExperience | x | x | x | No | +| | Microsoft.Windows. SecureAssessmentBrowser | | x | x | No | +| Start | Microsoft.Windows. ShellExperienceHost | x | x | x | No | +| Windows Feedback | Microsoft.WindowsFeedback | x | * | * | No | +| | Microsoft.XboxGameCallableUI | x | x | x | No | +| Xbox logon UI | Microsoft.XboxIdentityProvider | x | | | No | +| Contact Support | Windows.ContactSupport | x | x* | x* | In 1511, no.* | +| | Windows.Devicesflow | x | | | No | +| Settings | Windows.ImmersiveControlPanel | x | x | x | No | +| Connect | Windows.MiracastView | x | x | x | No | +| Print UI | Windows.PrintDialog | x | x | x | No | +| Purchase UI | Windows.PurchaseDialog | x | | | No | + +> [!NOTE] +> - The Windows Feedback app changed to the Windows Feedback Hub in version 1607. It's listed in the installed apps table below. +> - As of Windows 10 version 1607, you can use the Optional Features app to uninstall the Contact Support app. + +## Installed Windows apps +Here are the typical installed Windows apps in Windows 10 versions 1511, 1607, and 1703. + +| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? | +|--------------------|-----------------------------------------|------|------|------|---------------------------| +| Remote Desktop | Microsoft.RemoteDesktop | | x | x | Yes | +| PowerBI | Microsoft.Microsoft PowerBIforWindows | | x | x | Yes | +| Candy Crush | king.com.CandyCrushSodaSaga | x | | | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | | x | x | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | | x | x | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | | x | x | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | | x | x | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | | | x | Yes | +| Network Speed Test | Microsoft.NetworkSpeedTest | | x | x | Yes | +| Paid Wi-FI | | x | | | Yes | +| Skype Video | | x | | | Yes | +| Twitter | | x | | | Yes | +| PicArts | | x | | | Yes | +| Minecraft | | x | | | Yes | +| Flipboard | | x | | | Yes | + +## Provisioned Windows apps +Here are the typical provisioned Windows apps in Windows 10 versions 1511, 1607, and 1703. + +| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? | +|---------------------------------|----------------------------------------|------|------|------|---------------------------| +| 3D Builder | Microsoft.3DBuilder | x | | x | Yes | +| App Connector | Microsoft.Appconnector | x | | | Yes, through Settings app | +| Money | Microsoft.BingFinance | x | | | Yes | +| News | Microsoft.BingNews | x | * | * | Yes | +| Sports | Microsoft.BingSports | x | | | Yes | +| Weather | Microsoft.BingWeather | x | x | x | No | +| Phone Companion | Microsoft.CommsPhone | x | | | Yes | +| | Microsoft.ConnectivityStore | x | | | No | +| | Microsoft.DesktopAppInstaller | | x | x | Yes, through Settings app | +| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes | +| Messaging | Microsoft.Messaging | x | x | x | No | +| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | | | x | No | +| Get Office | Microsoft.MicrosoftOfficeHub | x | x | x | Yes | +| Solitaire | Microsoft.Microsoft SolitaireCollection | x | x | x | Yes | +| Sticky Notes | Microsoft.MicrosoftStickyNotes | | x | x | No | +| OneNote | Microsoft.Office.OneNote | x | x | x | No | +| Sway | Microsoft.Office.Sway | x | * | * | Yes | +| | Microsoft.OneConnect | | x | x | No | +| Paint 3D | Microsoft.MSPaint | | | x | No | +| People | Microsoft.People | x | x | x | No | +| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes | +| | Microsoft.StorePurchaseApp | | x | x | No | +| | Microsoft.Wallet | | | x | No | +| Photos | Microsoft.Windows.Photos | x | x | x | No | +| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | +| Calculator | Microsoft.WindowsCalculator | x | x | x | No | +| Camera | Microsoft.WindowsCamera | x | x | x | No | +| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No | +| Feedback Hub | Microsoft.WindowsFeedbackHub | * | x | x | Yes | +| Maps | Microsoft.WindowsMaps | x | x | x | No | +| Phone | Microsoft.WindowsPhone | x | | | No | +| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No | +| Store | Microsoft.WindowsStore | x | x | x | No | +| Xbox | Microsoft.XboxApp | x | x | x | No | +| | Microsoft.XboxGameOverlay | | | x | No | +| | Microsoft.XboxIdentityProvider | * | x | x | No | +| Groove | Microsoft.ZuneMusic | x | x | x | No | +| Movies & TV | Microsoft.ZuneVideo | x | x | x | No | +| | Microsoft.XboxSpeech ToTextOverlay | | | x | No | + +> [!NOTE] +> - As of Windows 10, version 1607, News and Sway are installed apps. +> - Both Feedback Hub and Microsoft.XboxIdentityProvider were installed apps in version 1511 and provisioned apps in versions 1607 and later. \ No newline at end of file diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index 7641745172..3aca385415 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms +ms.date: 09/15/2017 --- # Change history for Configure Windows 10 @@ -17,7 +18,9 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) ## September 2017 | New or changed topic | Description | | --- | --- | -| [Per-user services in Windows](per-user-services-in-windows.md) | New | +| [Per-user services in Windows 10](per-user-services-in-windows.md) | New | +| [Remove background task resource restrictions](enterprise-background-activity-controls.md) | New | +| [Understand the different apps included in Windows 10](apps-in-windows-10.md) | New | ## July 2017 | New or changed topic | Description | diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md new file mode 100644 index 0000000000..48e61b947d --- /dev/null +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -0,0 +1,64 @@ +--- +author: TylerMSFT +title: Remove background task resource restrictions +description: Allow enterprise background tasks unrestricted access to computer resources. +ms.author: twhitney +ms.date: 09/26/2017 +ms.topic: article +ms.prod: windows +ms.technology: uwp +keywords: windows 10, uwp, enterprise, background task, resources +--- + +# Remove background task resource restrictions + +To provide the best experience for consumers, Windows provides controls that give users the choice of which experiences may run in the background. + +By default, resource limits are imposed on applications. Foreground apps are given the most memory and execution time; background apps get less. Users are thus protected from poor foreground app performance and heavy battery drain. + +Enterprise users want the same ability to enable or limit background activity. In Windows 10, version 1703 (also known as the Creators Update), enterprises can now configure settings via policy and provisioning that control background activity. + +## Background activity controls + +Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background. + + + +The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop: + + + +Here is the set of available controls for mobile devices: + + + +Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity). + +## Enterprise background activity controls + +Starting with Windows 10, version 1703, enterprises can control background activity through mobile device management (MDM) or Group Policy. The user controls discussed above can be controlled with the following policies: + +`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground` +`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_ForceAllowTheseApps` +`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps` +`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps` + +These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. See [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) for more information about these policies. + +An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](https://docs.microsoft.com/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned [BackgroundAccessStatus](https://docs.microsoft.com/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page: + +- **AlwaysAllowed**: Corresponds to **Always Allowed in Background** and **Managed By User**. This enables apps to run as much as possible in the background, including while the device is in battery saver mode. + +- **AllowedSubjectToSystemPolicy**: This is the default value. It corresponds to **Managed by Windows**. This enables apps to run in the background as determined by Windows. If the device is currently in the battery saver state then background activities do not run. + +- **DeniedDueToSystemPolicy**: Corresponds to **Managed by Windows** and indicates that the system has determined that the app cannot currently run in the background. + +- **DeniedByUser**: Corresponds to **Never Allowed in the Background**. The app cannot run in the background. Either the configuration in the settings app, or enterprise policy, has defined that this app is not allowed to run in the background. + +The Universal Windows Platform ensures that consumers will have great battery life and that foreground apps will perform well. Enterprises have the ability to change settings to enable scenarios specific to their business needs. Administrators can use the **Background apps** policies to enable or disable whether a UWP app can run in the background. + +## See also + +- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly) +- [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) +[Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity) diff --git a/windows/application-management/images/backgroundapps-setting.png b/windows/application-management/images/backgroundapps-setting.png new file mode 100644 index 0000000000..ffa7af0ccf Binary files /dev/null and b/windows/application-management/images/backgroundapps-setting.png differ diff --git a/windows/application-management/images/battery-usage-by-app-desktop.png b/windows/application-management/images/battery-usage-by-app-desktop.png new file mode 100644 index 0000000000..00f7d51136 Binary files /dev/null and b/windows/application-management/images/battery-usage-by-app-desktop.png differ diff --git a/windows/application-management/images/battery-usage-by-app-mobile.png b/windows/application-management/images/battery-usage-by-app-mobile.png new file mode 100644 index 0000000000..cb920d0d02 Binary files /dev/null and b/windows/application-management/images/battery-usage-by-app-mobile.png differ diff --git a/windows/application-management/index.md b/windows/application-management/index.md index d6c32fbe93..b42c674d12 100644 --- a/windows/application-management/index.md +++ b/windows/application-management/index.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium +ms.date: 09/15/2017 --- # Windows 10 application management @@ -18,7 +19,12 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients. | Topic | Description | |---|---| -|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications| |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients| +| [Remove background task resource restrictions](enterprise-background-activity-controls.md) | Windows provides controls to manage which experiences may run in the background. | +|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications| | [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 | +|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016| +[Disabling System Services in Windows Server](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) | Security guidelines for disabling services in Windows Server 2016 with Desktop Experience +|[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise| | [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile | +[Change history for Application management](change-history-for-application-management.md) | This topic lists new and updated topics in the Application management documentation for Windows 10 and Windows 10 Mobile. diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index a31b464390..f784c78af2 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: mobile ms.author: elizapo author: lizap -ms.date: 08/14/2017 +ms.date: 09/13/2017 --- # Per-user services in Windows 10 and Windows Server @@ -19,17 +19,17 @@ Per-user services are services that are created when a user signs into Windows o > [!NOTE] > Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services. -You can't prevent per-user services from being created, but you can configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**. +You can configure the template service to create per-user services in a stopped and disabled state by setting the template service's **Startup Type** to **Disabled**. > [!IMPORTANT] -> If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment. +> Carefully test any changes to the template service's Startup Type before deploying in production. Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates. For more information about disabling system services for Windows Server, see [Guidance on disabling system services on Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server). ## Per-user services -Windows 10 and Windows Server 2016 (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. +Windows 10 and Windows Server (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly. diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 43db69d30f..d8a901623a 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -23,7 +23,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ## Set up -- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. +- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. - On the PC that you want to connect to: 1. Open system properties for the remote PC. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index e9a60b1ed6..e02d2d3e65 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -168,4 +168,4 @@ When a user is configured with a mandatory profile, Windows 10 starts as though - [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight) - [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm) - +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897). diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 2d6046fef1..623210a376 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -2,6 +2,7 @@ ## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md) ## [Mobile device enrollment](mobile-device-enrollment.md) ### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) +### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md) ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) @@ -17,9 +18,9 @@ ## [Enterprise app management](enterprise-app-management.md) ## [Device update management](device-update-management.md) ## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md) -## [Management tool for the Windows Store for Business](management-tool-for-windows-store-for-business.md) -### [REST API reference for Windows Store for Business](rest-api-reference-windows-store-for-business.md) -#### [Data structures for Windows Store for Business](data-structures-windows-store-for-business.md) +## [Management tool for the Micosoft Store for Business](management-tool-for-windows-store-for-business.md) +### [REST API reference for Micosoft Store for Business](rest-api-reference-windows-store-for-business.md) +#### [Data structures for Micosoft Store for Business](data-structures-windows-store-for-business.md) #### [Get Inventory](get-inventory.md) #### [Get product details](get-product-details.md) #### [Get localized product details](get-localized-product-details.md) @@ -202,6 +203,7 @@ #### [Experience](policy-csp-experience.md) #### [ExploitGuard](policy-csp-exploitguard.md) #### [Games](policy-csp-games.md) +#### [Handwriting](policy-csp-handwriting.md) #### [InternetExplorer](policy-csp-internetexplorer.md) #### [Kerberos](policy-csp-kerberos.md) #### [Licensing](policy-csp-licensing.md) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 7564c89e41..2737a54616 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -266,9 +266,9 @@ FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corp You can get the publisher name and product name of apps using a web API. -**To find publisher and product name for Microsoft apps in Windows Store for Business** +**To find publisher and product name for Microsoft apps in Microsoft Store for Business** -1. Go to the Windows Store for Business website, and find your app. For example, Microsoft OneNote. +1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https:<\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. 3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index 510be6e748..f8ba2b865f 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -1,6 +1,6 @@ --- title: Assign seat -description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business. +description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business. ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552 ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Assign seat -The **Assign seat** operation assigns seat for a specified user in the Windows Store for Business. +The **Assign seat** operation assigns seat for a specified user in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 59f79b2a6c..2e6580c656 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/27/2017 +ms.date: 09/19/2017 --- # AssignedAccess CSP @@ -19,7 +19,7 @@ The AssignedAccess configuration service provider (CSP) is used set the device t For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) -> **Note** The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education. +> **Note** The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro. The following diagram shows the AssignedAccess configuration service provider in tree format diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 33f5904925..7b7845d806 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -1,6 +1,6 @@ --- title: Bulk assign and reclaim seats from users -description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business. +description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business. ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A ms.author: maricia ms.topic: article @@ -12,7 +12,7 @@ ms.date: 06/19/2017 # Bulk assign and reclaim seats from users -The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Windows Store for Business. +The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index f619993de2..ff8c33aa7e 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/27/2017 +ms.date: 09/19/2017 --- # Configuration service provider reference @@ -164,7 +164,7 @@ Footnotes:
3Supported operations are Get and Replace.
+## Examples + +``` syntax + + + +Management tool for the Windows Store for Business
Management tool for the Micosoft Store for Business
New topics. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.
The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
+-
+
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. +
- ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need. +
- DomainName - fully qualified domain name if the device is domain-joined. +
For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.
+Added new CSP in Windows 10, version 1709.
Added DeviceTunnel profile in Windows 10, version 1709.
+Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709.
- Configuration
Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.
Added new policies.
Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
+New features in the Settings app:
+-
+
- User sees installation progress of critical policies during MDM enrollment. +
- User knows what policies, profiles, apps MDM has configured +
- IT helpdesk can get detailed MDM diagnostic information using client tools +
For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)
+Added new topic to introduce a new Group Policy for automatic MDM enrollment.
+Added the following new policies for Windows 10, version 1709:
-
+
- Authentication/AllowAadPasswordReset
- Browser/LockdownFavorites
- Browser/ProvisionFavorites
- CredentialProviders/DisableAutomaticReDeploymentCredentials @@ -1000,6 +1029,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- DeviceGuard/LsaCfgFlags
- ExploitGuard/ExploitProtectionSettings
- Games/AllowAdvancedGamingServices +
- Handwriting/PanelDefaultModeDocked
- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
- LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
- LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus @@ -1355,9 +1385,52 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- Authentication/AllowAadPasswordReset +
- Handwriting/PanelDefaultModeDocked
- Search/AllowCloudSearch
- System/LimitEnhancedDiagnosticDataWindowsAnalytics
Added the following new policies for Windows 10, version 1709:
-
+
Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.
+Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
+Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
+The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
+-
+
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. +
- ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need. +
- DomainName - fully qualified domain name if the device is domain-joined. +
For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.
+Added a SyncML example.
+Added RegisterDNS setting in Windows 10, version 1709.
+Added new topic to introduce a new Group Policy for automatic MDM enrollment.
+New features in the Settings app:
+-
+
- User sees installation progress of critical policies during MDM enrollment. +
- User knows what policies, profiles, apps MDM has configured +
- IT helpdesk can get detailed MDM diagnostic information using client tools +
For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)
- Added Configuration node
Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.
-
+
- + Authentication/AllowAadPasswordReset +
- Authentication/AllowEAPCertSSO @@ -1024,6 +1047,14 @@ The following diagram shows the Policy configuration service provider in tree fo
-
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index 2268695665..64f921aac1 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - AboveLock
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
- + AboveLock/AllowActionCenterNotifications + +
- + AboveLock/AllowCortanaAboveLock + +
- + AboveLock/AllowToasts + +
- + Accounts/AllowAddingNonMicrosoftAccountsManually + +
- + Accounts/AllowMicrosoftAccountConnection + +
- + Accounts/AllowMicrosoftAccountSignInAssistant + +
- + Accounts/DomainNamesForEmailSync + +
- + ApplicationManagement/AllowAllTrustedApps + +
- + ApplicationManagement/AllowAppStoreAutoUpdate + +
- + ApplicationManagement/AllowDeveloperUnlock + +
- + ApplicationManagement/AllowGameDVR + +
- + ApplicationManagement/AllowSharedUserAppData + +
- + ApplicationManagement/AllowStore + +
- + ApplicationManagement/ApplicationRestrictions + +
- + ApplicationManagement/DisableStoreOriginatedApps + +
- + ApplicationManagement/RequirePrivateStoreOnly + +
- + ApplicationManagement/RestrictAppDataToSystemVolume + +
- + ApplicationManagement/RestrictAppToSystemVolume + +
- + AppVirtualization/AllowAppVClient + +
- + AppVirtualization/AllowDynamicVirtualization + +
- + AppVirtualization/AllowPackageCleanup + +
- + AppVirtualization/AllowPackageScripts + +
- + AppVirtualization/AllowPublishingRefreshUX + +
- + AppVirtualization/AllowReportingServer + +
- + AppVirtualization/AllowRoamingFileExclusions + +
- + AppVirtualization/AllowRoamingRegistryExclusions + +
- + AppVirtualization/AllowStreamingAutoload + +
- + AppVirtualization/ClientCoexistenceAllowMigrationmode + +
- + AppVirtualization/IntegrationAllowRootGlobal + +
- + AppVirtualization/IntegrationAllowRootUser + +
- + AppVirtualization/PublishingAllowServer1 + +
- + AppVirtualization/PublishingAllowServer2 + +
- + AppVirtualization/PublishingAllowServer3 + +
- + AppVirtualization/PublishingAllowServer4 + +
- + AppVirtualization/PublishingAllowServer5 + +
- + AppVirtualization/StreamingAllowCertificateFilterForClient_SSL + +
- + AppVirtualization/StreamingAllowHighCostLaunch + +
- + AppVirtualization/StreamingAllowLocationProvider + +
- + AppVirtualization/StreamingAllowPackageInstallationRoot + +
- + AppVirtualization/StreamingAllowPackageSourceRoot + +
- + AppVirtualization/StreamingAllowReestablishmentInterval + +
- + AppVirtualization/StreamingAllowReestablishmentRetries + +
- + AppVirtualization/StreamingSharedContentStoreMode + +
- + AppVirtualization/StreamingSupportBranchCache + +
- + AppVirtualization/StreamingVerifyCertificateRevocationList + +
- + AppVirtualization/VirtualComponentsAllowList + +
- + AttachmentManager/DoNotPreserveZoneInformation + +
- + AttachmentManager/HideZoneInfoMechanism + +
- + AttachmentManager/NotifyAntivirusPrograms + +
- + Authentication/AllowAadPasswordReset + +
- + Authentication/AllowEAPCertSSO + +
- + Authentication/AllowFastReconnect + +
- + Authentication/AllowSecondaryAuthenticationDevice + +
- + Autoplay/DisallowAutoplayForNonVolumeDevices + +
- + Autoplay/SetDefaultAutoRunBehavior + +
- + Autoplay/TurnOffAutoPlay + +
- + Bitlocker/EncryptionMethod + +
- + Bluetooth/AllowAdvertising + +
- + Bluetooth/AllowDiscoverableMode + +
- + Bluetooth/AllowPrepairing + +
- + Bluetooth/LocalDeviceName + +
- + Bluetooth/ServicesAllowedList + +
- + Browser/AllowAddressBarDropdown + +
- + Browser/AllowAutofill + +
- + Browser/AllowBrowser + +
- + Browser/AllowCookies + +
- + Browser/AllowDeveloperTools + +
- + Browser/AllowDoNotTrack + +
- + Browser/AllowExtensions + +
- + Browser/AllowFlash + +
- + Browser/AllowFlashClickToRun + +
- + Browser/AllowInPrivate + +
- + Browser/AllowMicrosoftCompatibilityList + +
- + Browser/AllowPasswordManager + +
- + Browser/AllowPopups + +
- + Browser/AllowSearchEngineCustomization + +
- + Browser/AllowSearchSuggestionsinAddressBar + +
- + Browser/AllowSmartScreen + +
- + Browser/AlwaysEnableBooksLibrary + +
- + Browser/ClearBrowsingDataOnExit + +
- + Browser/ConfigureAdditionalSearchEngines + +
- + Browser/DisableLockdownOfStartPages + +
- + Browser/EnterpriseModeSiteList + +
- + Browser/EnterpriseSiteListServiceUrl + +
- + Browser/FirstRunURL + +
- + Browser/HomePages + +
- + Browser/LockdownFavorites + +
- + Browser/PreventAccessToAboutFlagsInMicrosoftEdge + +
- + Browser/PreventFirstRunPage + +
- + Browser/PreventLiveTileDataCollection + +
- + Browser/PreventSmartScreenPromptOverride + +
- + Browser/PreventSmartScreenPromptOverrideForFiles + +
- + Browser/PreventUsingLocalHostIPAddressForWebRTC + +
- + Browser/ProvisionFavorites + +
- + Browser/SendIntranetTraffictoInternetExplorer + +
- + Browser/SetDefaultSearchEngine + +
- + Browser/ShowMessageWhenOpeningSitesInInternetExplorer + +
- + Browser/SyncFavoritesBetweenIEAndMicrosoftEdge + +
- + Camera/AllowCamera + +
- + Cellular/ShowAppCellularAccessUI + +
- + Connectivity/AllowBluetooth + +
- + Connectivity/AllowCellularData + +
- + Connectivity/AllowCellularDataRoaming + +
- + Connectivity/AllowConnectedDevices + +
- + Connectivity/AllowNFC + +
- + Connectivity/AllowUSBConnection + +
- + Connectivity/AllowVPNOverCellular + +
- + Connectivity/AllowVPNRoamingOverCellular + +
- + Connectivity/DiablePrintingOverHTTP + +
- + Connectivity/DisableDownloadingOfPrintDriversOverHTTP + +
- + Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards + +
- + Connectivity/HardenedUNCPaths + +
- + Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge + +
- + CredentialProviders/AllowPINLogon + +
- + CredentialProviders/BlockPicturePassword + +
- + CredentialProviders/DisableAutomaticReDeploymentCredentials + +
- + DataUsage/SetCost3G + +
- + DataUsage/SetCost4G + +
- + Defender/AllowArchiveScanning + +
- + Defender/AllowBehaviorMonitoring + +
- + Defender/AllowCloudProtection + +
- + Defender/AllowEmailScanning + +
- + Defender/AllowFullScanOnMappedNetworkDrives + +
- + Defender/AllowFullScanRemovableDriveScanning + +
- + Defender/AllowIOAVProtection + +
- + Defender/AllowIntrusionPreventionSystem + +
- + Defender/AllowOnAccessProtection + +
- + Defender/AllowRealtimeMonitoring + +
- + Defender/AllowScanningNetworkFiles + +
- + Defender/AllowScriptScanning + +
- + Defender/AllowUserUIAccess + +
- + Defender/AttackSurfaceReductionOnlyExclusions + +
- + Defender/AttackSurfaceReductionRules + +
- + Defender/AvgCPULoadFactor + +
- + Defender/CloudBlockLevel + +
- + Defender/CloudExtendedTimeout + +
- + Defender/ControlledFolderAccessAllowedApplications + +
- + Defender/ControlledFolderAccessProtectedFolders + +
- + Defender/DaysToRetainCleanedMalware + +
- + Defender/EnableControlledFolderAccess + +
- + Defender/EnableNetworkProtection + +
- + Defender/ExcludedExtensions + +
- + Defender/ExcludedPaths + +
- + Defender/ExcludedProcesses + +
- + Defender/PUAProtection + +
- + Defender/RealTimeScanDirection + +
- + Defender/ScanParameter + +
- + Defender/ScheduleQuickScanTime + +
- + Defender/ScheduleScanDay + +
- + Defender/ScheduleScanTime + +
- + Defender/SignatureUpdateInterval + +
- + Defender/SubmitSamplesConsent + +
- + Defender/ThreatSeverityDefaultAction + +
- + DeliveryOptimization/DOAbsoluteMaxCacheSize + +
- + DeliveryOptimization/DOAllowVPNPeerCaching + +
- + DeliveryOptimization/DODownloadMode + +
- + DeliveryOptimization/DOGroupId + +
- + DeliveryOptimization/DOMaxCacheAge + +
- + DeliveryOptimization/DOMaxCacheSize + +
- + DeliveryOptimization/DOMaxDownloadBandwidth + +
- + DeliveryOptimization/DOMaxUploadBandwidth + +
- + DeliveryOptimization/DOMinBackgroundQos + +
- + DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload + +
- + DeliveryOptimization/DOMinDiskSizeAllowedToPeer + +
- + DeliveryOptimization/DOMinFileSizeToCache + +
- + DeliveryOptimization/DOMinRAMAllowedToPeer + +
- + DeliveryOptimization/DOModifyCacheDrive + +
- + DeliveryOptimization/DOMonthlyUploadDataCap + +
- + DeliveryOptimization/DOPercentageMaxDownloadBandwidth + +
- + DeviceGuard/EnableVirtualizationBasedSecurity + +
- + DeviceGuard/LsaCfgFlags + +
- + DeviceGuard/RequirePlatformSecurityFeatures + +
- + DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + +
- + DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + +
- + DeviceLock/AllowIdleReturnWithoutPassword + +
- + DeviceLock/AllowScreenTimeoutWhileLockedUserConfig + +
- + DeviceLock/AllowSimpleDevicePassword + +
- + DeviceLock/AlphanumericDevicePasswordRequired + +
- + DeviceLock/DevicePasswordEnabled + +
- + DeviceLock/DevicePasswordExpiration + +
- + DeviceLock/DevicePasswordHistory + +
- + DeviceLock/EnforceLockScreenAndLogonImage + +
- + DeviceLock/EnforceLockScreenProvider + +
- + DeviceLock/MaxDevicePasswordFailedAttempts + +
- + DeviceLock/MaxInactivityTimeDeviceLock + +
- + DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay + +
- + DeviceLock/MinDevicePasswordComplexCharacters + +
- + DeviceLock/MinDevicePasswordLength + +
- + DeviceLock/PreventLockScreenSlideShow + +
- + DeviceLock/ScreenTimeoutWhileLocked + +
- + Education/DefaultPrinterName + +
- + Education/PreventAddingNewPrinters + +
- + Education/PrinterNames + +
- + EnterpriseCloudPrint/CloudPrintOAuthAuthority + +
- + EnterpriseCloudPrint/CloudPrintOAuthClientId + +
- + EnterpriseCloudPrint/CloudPrintResourceId + +
- + EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint + +
- + EnterpriseCloudPrint/DiscoveryMaxPrinterLimit + +
- + EnterpriseCloudPrint/MopriaDiscoveryResourceId + +
- + ErrorReporting/CustomizeConsentSettings + +
- + ErrorReporting/DisableWindowsErrorReporting + +
- + ErrorReporting/DisplayErrorNotification + +
- + ErrorReporting/DoNotSendAdditionalData + +
- + ErrorReporting/PreventCriticalErrorDisplay + +
- + EventLogService/ControlEventLogBehavior + +
- + EventLogService/SpecifyMaximumFileSizeApplicationLog + +
- + EventLogService/SpecifyMaximumFileSizeSecurityLog + +
- + EventLogService/SpecifyMaximumFileSizeSystemLog + +
- + Experience/AllowCopyPaste + +
- + Experience/AllowCortana + +
- + Experience/AllowDeviceDiscovery + +
- + Experience/AllowFindMyDevice + +
- + Experience/AllowManualMDMUnenrollment + +
- + Experience/AllowSIMErrorDialogPromptWhenNoSIM + +
- + Experience/AllowScreenCapture + +
- + Experience/AllowSyncMySettings + +
- + Experience/AllowTailoredExperiencesWithDiagnosticData + +
- + Experience/AllowTaskSwitcher + +
- + Experience/AllowThirdPartySuggestionsInWindowsSpotlight + +
- + Experience/AllowVoiceRecording + +
- + Experience/AllowWindowsConsumerFeatures + +
- + Experience/AllowWindowsSpotlight + +
- + Experience/AllowWindowsSpotlightOnActionCenter + +
- + Experience/AllowWindowsSpotlightWindowsWelcomeExperience + +
- + Experience/AllowWindowsTips + +
- + Experience/ConfigureWindowsSpotlightOnLockScreen + +
- + Experience/DoNotShowFeedbackNotifications + +
- 0 - Disabled (default) +
- 1 - Enabled +
- + InternetExplorer/AddSearchProvider + +
- + InternetExplorer/AllowActiveXFiltering + +
- + InternetExplorer/AllowAddOnList + +
- + InternetExplorer/AllowAutoComplete + +
- + InternetExplorer/AllowCertificateAddressMismatchWarning + +
- + InternetExplorer/AllowDeletingBrowsingHistoryOnExit + +
- + InternetExplorer/AllowEnhancedProtectedMode + +
- + InternetExplorer/AllowEnterpriseModeFromToolsMenu + +
- + InternetExplorer/AllowEnterpriseModeSiteList + +
- + InternetExplorer/AllowFallbackToSSL3 + +
- + InternetExplorer/AllowInternetExplorer7PolicyList + +
- + InternetExplorer/AllowInternetExplorerStandardsMode + +
- + InternetExplorer/AllowInternetZoneTemplate + +
- + InternetExplorer/AllowIntranetZoneTemplate + +
- + InternetExplorer/AllowLocalMachineZoneTemplate + +
- + InternetExplorer/AllowLockedDownInternetZoneTemplate + +
- + InternetExplorer/AllowLockedDownIntranetZoneTemplate + +
- + InternetExplorer/AllowLockedDownLocalMachineZoneTemplate + +
- + InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate + +
- + InternetExplorer/AllowOneWordEntry + +
- + InternetExplorer/AllowSiteToZoneAssignmentList + +
- + InternetExplorer/AllowSoftwareWhenSignatureIsInvalid + +
- + InternetExplorer/AllowSuggestedSites + +
- + InternetExplorer/AllowTrustedSitesZoneTemplate + +
- + InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate + +
- + InternetExplorer/AllowsRestrictedSitesZoneTemplate + +
- + InternetExplorer/CheckServerCertificateRevocation + +
- + InternetExplorer/CheckSignaturesOnDownloadedPrograms + +
- + InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses + +
- + InternetExplorer/DisableAdobeFlash + +
- + InternetExplorer/DisableBlockingOfOutdatedActiveXControls + +
- + InternetExplorer/DisableBypassOfSmartScreenWarnings + +
- + InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles + +
- + InternetExplorer/DisableConfiguringHistory + +
- + InternetExplorer/DisableCrashDetection + +
- + InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation + +
- + InternetExplorer/DisableDeletingUserVisitedWebsites + +
- + InternetExplorer/DisableEnclosureDownloading + +
- + InternetExplorer/DisableEncryptionSupport + +
- + InternetExplorer/DisableFirstRunWizard + +
- + InternetExplorer/DisableFlipAheadFeature + +
- + InternetExplorer/DisableHomePageChange + +
- + InternetExplorer/DisableIgnoringCertificateErrors + +
- + InternetExplorer/DisableInPrivateBrowsing + +
- + InternetExplorer/DisableProcessesInEnhancedProtectedMode + +
- + InternetExplorer/DisableProxyChange + +
- + InternetExplorer/DisableSearchProviderChange + +
- + InternetExplorer/DisableSecondaryHomePageChange + +
- + InternetExplorer/DisableSecuritySettingsCheck + +
- + InternetExplorer/DisableUpdateCheck + +
- + InternetExplorer/DoNotAllowActiveXControlsInProtectedMode + +
- + InternetExplorer/DoNotAllowUsersToAddSites + +
- + InternetExplorer/DoNotAllowUsersToChangePolicies + +
- + InternetExplorer/DoNotBlockOutdatedActiveXControls + +
- + InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains + +
- + InternetExplorer/IncludeAllLocalSites + +
- + InternetExplorer/IncludeAllNetworkPaths + +
- + InternetExplorer/InternetZoneAllowAccessToDataSources + +
- + InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/InternetZoneAllowCopyPasteViaScript + +
- + InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles + +
- + InternetExplorer/InternetZoneAllowFontDownloads + +
- + InternetExplorer/InternetZoneAllowLessPrivilegedSites + +
- + InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles + +
- + InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls + +
- + InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl + +
- + InternetExplorer/InternetZoneAllowScriptInitiatedWindows + +
- + InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls + +
- + InternetExplorer/InternetZoneAllowScriptlets + +
- + InternetExplorer/InternetZoneAllowSmartScreenIE + +
- + InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript + +
- + InternetExplorer/InternetZoneAllowUserDataPersistence + +
- + InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls + +
- + InternetExplorer/InternetZoneDownloadSignedActiveXControls + +
- + InternetExplorer/InternetZoneDownloadUnsignedActiveXControls + +
- + InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter + +
- + InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows + +
- + InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows + +
- + InternetExplorer/InternetZoneEnableMIMESniffing + +
- + InternetExplorer/InternetZoneEnableProtectedMode + +
- + InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer + +
- + InternetExplorer/InternetZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe + +
- + InternetExplorer/InternetZoneJavaPermissions + +
- + InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME + +
- + InternetExplorer/InternetZoneLogonOptions + +
- + InternetExplorer/InternetZoneNavigateWindowsAndFrames + +
- + InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode + +
- + InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode + +
- + InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles + +
- + InternetExplorer/InternetZoneUsePopupBlocker + +
- + InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone + +
- + InternetExplorer/IntranetZoneAllowAccessToDataSources + +
- + InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/IntranetZoneAllowFontDownloads + +
- + InternetExplorer/IntranetZoneAllowLessPrivilegedSites + +
- + InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/IntranetZoneAllowScriptlets + +
- + InternetExplorer/IntranetZoneAllowSmartScreenIE + +
- + InternetExplorer/IntranetZoneAllowUserDataPersistence + +
- + InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls + +
- + InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe + +
- + InternetExplorer/IntranetZoneJavaPermissions + +
- + InternetExplorer/IntranetZoneNavigateWindowsAndFrames + +
- + InternetExplorer/LocalMachineZoneAllowAccessToDataSources + +
- + InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/LocalMachineZoneAllowFontDownloads + +
- + InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites + +
- + InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/LocalMachineZoneAllowScriptlets + +
- + InternetExplorer/LocalMachineZoneAllowSmartScreenIE + +
- + InternetExplorer/LocalMachineZoneAllowUserDataPersistence + +
- + InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls + +
- + InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/LocalMachineZoneJavaPermissions + +
- + InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames + +
- + InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources + +
- + InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/LockedDownInternetZoneAllowFontDownloads + +
- + InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites + +
- + InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/LockedDownInternetZoneAllowScriptlets + +
- + InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE + +
- + InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence + +
- + InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/LockedDownInternetZoneJavaPermissions + +
- + InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames + +
- + InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources + +
- + InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/LockedDownIntranetZoneAllowFontDownloads + +
- + InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites + +
- + InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/LockedDownIntranetZoneAllowScriptlets + +
- + InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE + +
- + InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence + +
- + InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE + +
- + InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence + +
- + InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/LockedDownLocalMachineZoneJavaPermissions + +
- + InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE + +
- + InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence + +
- + InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions + +
- + InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE + +
- + InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence + +
- + InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions + +
- + InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames + +
- + InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses + +
- + InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses + +
- + InternetExplorer/NotificationBarInternetExplorerProcesses + +
- + InternetExplorer/PreventManagingSmartScreenFilter + +
- + InternetExplorer/PreventPerUserInstallationOfActiveXControls + +
- + InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses + +
- + InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls + +
- + InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses + +
- + InternetExplorer/RestrictFileDownloadInternetExplorerProcesses + +
- + InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources + +
- + InternetExplorer/RestrictedSitesZoneAllowActiveScripting + +
- + InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors + +
- + InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript + +
- + InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles + +
- + InternetExplorer/RestrictedSitesZoneAllowFileDownloads + +
- + InternetExplorer/RestrictedSitesZoneAllowFontDownloads + +
- + InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites + +
- + InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles + +
- + InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH + +
- + InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls + +
- + InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl + +
- + InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows + +
- + InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls + +
- + InternetExplorer/RestrictedSitesZoneAllowScriptlets + +
- + InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE + +
- + InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript + +
- + InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence + +
- + InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls + +
- + InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls + +
- + InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls + +
- + InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter + +
- + InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows + +
- + InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows + +
- + InternetExplorer/RestrictedSitesZoneEnableMIMESniffing + +
- + InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer + +
- + InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/RestrictedSitesZoneJavaPermissions + +
- + InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME + +
- + InternetExplorer/RestrictedSitesZoneLogonOptions + +
- + InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames + +
- + InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains + +
- + InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins + +
- + InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode + +
- + InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting + +
- + InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets + +
- + InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles + +
- + InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter + +
- + InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode + +
- + InternetExplorer/RestrictedSitesZoneUsePopupBlocker + +
- + InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses + +
- + InternetExplorer/SearchProviderList + +
- + InternetExplorer/SecurityZonesUseOnlyMachineSettings + +
- + InternetExplorer/SpecifyUseOfActiveXInstallerService + +
- + InternetExplorer/TrustedSitesZoneAllowAccessToDataSources + +
- + InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls + +
- + InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads + +
- + InternetExplorer/TrustedSitesZoneAllowFontDownloads + +
- + InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites + +
- + InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents + +
- + InternetExplorer/TrustedSitesZoneAllowScriptlets + +
- + InternetExplorer/TrustedSitesZoneAllowSmartScreenIE + +
- + InternetExplorer/TrustedSitesZoneAllowUserDataPersistence + +
- + InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls + +
- + InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls + +
- + InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls + +
- + InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe + +
- + InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe + +
- + InternetExplorer/TrustedSitesZoneJavaPermissions + +
- + InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames + +
- + Kerberos/AllowForestSearchOrder + +
- + Kerberos/KerberosClientSupportsClaimsCompoundArmor + +
- + Kerberos/RequireKerberosArmoring + +
- + Kerberos/RequireStrictKDCValidation + +
- + Kerberos/SetMaximumContextTokenSize + +
- + Licensing/AllowWindowsEntitlementReactivation + +
- + Licensing/DisallowKMSClientOnlineAVSValidation + +
- + LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts + +
- + LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus + +
- + LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus + +
- + LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly + +
- + LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount + +
- + LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount + +
- + LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked + +
- + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn + +
- + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn + +
- + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL + +
- + LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit + +
- + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn + +
- + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn + +
- + LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests + +
- + LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon + +
- + LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn + +
- + LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation + +
- + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators + +
- + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers + +
- + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated + +
- + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations + +
- + LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode + +
- + LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation + +
- + LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations + +
- + Location/EnableLocation + +
- + LockDown/AllowEdgeSwipe + +
- + Messaging/AllowMMS + +
- + Messaging/AllowMessageSync + +
- + Messaging/AllowRCS + +
- + NetworkIsolation/EnterpriseCloudResources + +
- + NetworkIsolation/EnterpriseIPRange + +
- + NetworkIsolation/EnterpriseIPRangesAreAuthoritative + +
- + NetworkIsolation/EnterpriseInternalProxyServers + +
- + NetworkIsolation/EnterpriseNetworkDomainNames + +
- + NetworkIsolation/EnterpriseProxyServers + +
- + NetworkIsolation/EnterpriseProxyServersAreAuthoritative + +
- + NetworkIsolation/NeutralResources + +
- + Power/AllowStandbyWhenSleepingPluggedIn + +
- + Power/DisplayOffTimeoutOnBattery + +
- + Power/DisplayOffTimeoutPluggedIn + +
- + Power/HibernateTimeoutOnBattery + +
- + Power/HibernateTimeoutPluggedIn + +
- + Power/RequirePasswordWhenComputerWakesOnBattery + +
- + Power/RequirePasswordWhenComputerWakesPluggedIn + +
- + Power/StandbyTimeoutOnBattery + +
- + Power/StandbyTimeoutPluggedIn + +
- + Printers/PointAndPrintRestrictions + +
- + Printers/PointAndPrintRestrictions_User + +
- + Printers/PublishPrinters + +
- + Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts + +
- + Privacy/AllowInputPersonalization + +
- + Privacy/DisableAdvertisingId + +
- + Privacy/EnableActivityFeed + +
- + Privacy/LetAppsAccessAccountInfo + +
- + Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCalendar + +
- + Privacy/LetAppsAccessCalendar_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCalendar_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCallHistory + +
- + Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCamera + +
- + Privacy/LetAppsAccessCamera_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCamera_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCamera_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessContacts + +
- + Privacy/LetAppsAccessContacts_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessContacts_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessContacts_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessEmail + +
- + Privacy/LetAppsAccessEmail_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessEmail_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessEmail_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessLocation + +
- + Privacy/LetAppsAccessLocation_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessLocation_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessLocation_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMessaging + +
- + Privacy/LetAppsAccessMessaging_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMessaging_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMicrophone + +
- + Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMotion + +
- + Privacy/LetAppsAccessMotion_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMotion_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMotion_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessNotifications + +
- + Privacy/LetAppsAccessNotifications_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessNotifications_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessPhone + +
- + Privacy/LetAppsAccessPhone_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessPhone_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessPhone_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessRadios + +
- + Privacy/LetAppsAccessRadios_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessRadios_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessRadios_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessTasks + +
- + Privacy/LetAppsAccessTasks_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessTasks_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessTasks_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices + +
- + Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo + +
- + Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps + +
- + Privacy/LetAppsRunInBackground + +
- + Privacy/LetAppsRunInBackground_ForceAllowTheseApps + +
- + Privacy/LetAppsRunInBackground_ForceDenyTheseApps + +
- + Privacy/LetAppsRunInBackground_UserInControlOfTheseApps + +
- + Privacy/LetAppsSyncWithDevices + +
- + Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps + +
- + Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps + +
- + Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps + +
- + Privacy/PublishUserActivities + +
- + RemoteAssistance/CustomizeWarningMessages + +
- + RemoteAssistance/SessionLogging + +
- + RemoteAssistance/SolicitedRemoteAssistance + +
- + RemoteAssistance/UnsolicitedRemoteAssistance + +
- + RemoteDesktopServices/AllowUsersToConnectRemotely + +
- + RemoteDesktopServices/ClientConnectionEncryptionLevel + +
- + RemoteDesktopServices/DoNotAllowDriveRedirection + +
- + RemoteDesktopServices/DoNotAllowPasswordSaving + +
- + RemoteDesktopServices/PromptForPasswordUponConnection + +
- + RemoteDesktopServices/RequireSecureRPCCommunication + +
- + RemoteManagement/AllowBasicAuthentication_Client + +
- + RemoteManagement/AllowBasicAuthentication_Service + +
- + RemoteManagement/AllowCredSSPAuthenticationClient + +
- + RemoteManagement/AllowCredSSPAuthenticationService + +
- + RemoteManagement/AllowRemoteServerManagement + +
- + RemoteManagement/AllowUnencryptedTraffic_Client + +
- + RemoteManagement/AllowUnencryptedTraffic_Service + +
- + RemoteManagement/DisallowDigestAuthentication + +
- + RemoteManagement/DisallowNegotiateAuthenticationClient + +
- + RemoteManagement/DisallowNegotiateAuthenticationService + +
- + RemoteManagement/DisallowStoringOfRunAsCredentials + +
- + RemoteManagement/SpecifyChannelBindingTokenHardeningLevel + +
- + RemoteManagement/TrustedHosts + +
- + RemoteManagement/TurnOnCompatibilityHTTPListener + +
- + RemoteManagement/TurnOnCompatibilityHTTPSListener + +
- + RemoteProcedureCall/RPCEndpointMapperClientAuthentication + +
- + RemoteProcedureCall/RestrictUnauthenticatedRPCClients + +
- + RemoteShell/AllowRemoteShellAccess + +
- + RemoteShell/MaxConcurrentUsers + +
- + RemoteShell/SpecifyIdleTimeout + +
- + RemoteShell/SpecifyMaxMemory + +
- + RemoteShell/SpecifyMaxProcesses + +
- + RemoteShell/SpecifyMaxRemoteShells + +
- + RemoteShell/SpecifyShellTimeout + +
- + Search/AllowCloudSearch + +
- + Search/AllowIndexingEncryptedStoresOrItems + +
- + Search/AllowSearchToUseLocation + +
- + Search/AllowUsingDiacritics + +
- + Search/AlwaysUseAutoLangDetection + +
- + Search/DisableBackoff + +
- + Search/DisableRemovableDriveIndexing + +
- + Search/PreventIndexingLowDiskSpaceMB + +
- + Search/PreventRemoteQueries + +
- + Search/SafeSearchPermissions + +
- + Security/AllowAddProvisioningPackage + +
- + Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices + +
- + Security/AllowManualRootCertificateInstallation + +
- + Security/AllowRemoveProvisioningPackage + +
- + Security/AntiTheftMode + +
- + Security/ClearTPMIfNotReady + +
- + Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices + +
- + Security/RequireDeviceEncryption + +
- + Security/RequireProvisioningPackageSignature + +
- + Security/RequireRetrieveHealthCertificateOnBoot + +
- + Settings/AllowAutoPlay + +
- + Settings/AllowDataSense + +
- + Settings/AllowDateTime + +
- + Settings/AllowEditDeviceName + +
- + Settings/AllowLanguage + +
- + Settings/AllowPowerSleep + +
- + Settings/AllowRegion + +
- + Settings/AllowSignInOptions + +
- + Settings/AllowVPN + +
- + Settings/AllowWorkplace + +
- + Settings/AllowYourAccount + +
- + Settings/ConfigureTaskbarCalendar + +
- + Settings/PageVisibilityList + +
- + SmartScreen/EnableAppInstallControl + +
- + SmartScreen/EnableSmartScreenInShell + +
- + SmartScreen/PreventOverrideForFilesInShell + +
- + Speech/AllowSpeechModelUpdate + +
- + Start/AllowPinnedFolderDocuments + +
- + Start/AllowPinnedFolderDownloads + +
- + Start/AllowPinnedFolderFileExplorer + +
- + Start/AllowPinnedFolderHomeGroup + +
- + Start/AllowPinnedFolderMusic + +
- + Start/AllowPinnedFolderNetwork + +
- + Start/AllowPinnedFolderPersonalFolder + +
- + Start/AllowPinnedFolderPictures + +
- + Start/AllowPinnedFolderSettings + +
- + Start/AllowPinnedFolderVideos + +
- + Start/ForceStartSize + +
- + Start/HideAppList + +
- + Start/HideChangeAccountSettings + +
- + Start/HideFrequentlyUsedApps + +
- + Start/HideHibernate + +
- + Start/HideLock + +
- + Start/HidePowerButton + +
- + Start/HideRecentJumplists + +
- + Start/HideRecentlyAddedApps + +
- + Start/HideRestart + +
- + Start/HideShutDown + +
- + Start/HideSignOut + +
- + Start/HideSleep + +
- + Start/HideSwitchAccount + +
- + Start/HideUserTile + +
- + Start/ImportEdgeAssets + +
- + Start/NoPinningToTaskbar + +
- + Start/StartLayout + +
- + Storage/EnhancedStorageDevices + +
- + System/AllowBuildPreview + +
- + System/AllowEmbeddedMode + +
- + System/AllowExperimentation + +
- + System/AllowFontProviders + +
- + System/AllowLocation + +
- + System/AllowStorageCard + +
- + System/AllowTelemetry + +
- + System/AllowUserToResetPhone + +
- + System/BootStartDriverInitialization + +
- + System/DisableOneDriveFileSync + +
- + System/DisableSystemRestore + +
- + System/LimitEnhancedDiagnosticDataWindowsAnalytics + +
- + System/TelemetryProxy + +
- + TextInput/AllowIMELogging + +
- + TextInput/AllowIMENetworkAccess + +
- + TextInput/AllowInputPanel + +
- + TextInput/AllowJapaneseIMESurrogatePairCharacters + +
- + TextInput/AllowJapaneseIVSCharacters + +
- + TextInput/AllowJapaneseNonPublishingStandardGlyph + +
- + TextInput/AllowJapaneseUserDictionary + +
- + TextInput/AllowKeyboardTextSuggestions + +
- + TextInput/AllowKoreanExtendedHanja + +
- + TextInput/AllowLanguageFeaturesUninstall + +
- + TextInput/ExcludeJapaneseIMEExceptJIS0208 + +
- + TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC + +
- + TextInput/ExcludeJapaneseIMEExceptShiftJIS + +
- + Update/ActiveHoursEnd + +
- + Update/ActiveHoursMaxRange + +
- + Update/ActiveHoursStart + +
- + Update/AllowAutoUpdate + +
- + Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork + +
- + Update/AllowMUUpdateService + +
- + Update/AllowNonMicrosoftSignedUpdate + +
- + Update/AllowUpdateService + +
- + Update/AutoRestartDeadlinePeriodInDays + +
- + Update/AutoRestartNotificationSchedule + +
- + Update/AutoRestartRequiredNotificationDismissal + +
- + Update/BranchReadinessLevel + +
- + Update/DeferFeatureUpdatesPeriodInDays + +
- + Update/DeferQualityUpdatesPeriodInDays + +
- + Update/DeferUpdatePeriod + +
- + Update/DeferUpgradePeriod + +
- + Update/DetectionFrequency + +
- + Update/DisableDualScan + +
- + Update/EngagedRestartDeadline + +
- + Update/EngagedRestartSnoozeSchedule + +
- + Update/EngagedRestartTransitionSchedule + +
- + Update/ExcludeWUDriversInQualityUpdate + +
- + Update/FillEmptyContentUrls + +
- + Update/IgnoreMOAppDownloadLimit + +
- + Update/IgnoreMOUpdateDownloadLimit + +
- + Update/PauseDeferrals + +
- + Update/PauseFeatureUpdates + +
- + Update/PauseFeatureUpdatesStartTime + +
- + Update/PauseQualityUpdates + +
- + Update/PauseQualityUpdatesStartTime + +
- + Update/RequireDeferUpgrade + +
- + Update/RequireUpdateApproval + +
- + Update/ScheduleImminentRestartWarning + +
- + Update/ScheduleRestartWarning + +
- + Update/ScheduledInstallDay + +
- + Update/ScheduledInstallEveryWeek + +
- + Update/ScheduledInstallFirstWeek + +
- + Update/ScheduledInstallFourthWeek + +
- + Update/ScheduledInstallSecondWeek + +
- + Update/ScheduledInstallThirdWeek + +
- + Update/ScheduledInstallTime + +
- + Update/SetAutoRestartNotificationDisable + +
- + Update/SetEDURestart + +
- + Update/UpdateServiceUrl + +
- + Update/UpdateServiceUrlAlternate + +
- + WiFi/AllowWiFiHotSpotReporting + +
- + Wifi/AllowAutoConnectToWiFiSenseHotspots + +
- + Wifi/AllowInternetSharing + +
- + Wifi/AllowManualWiFiConfiguration + +
- + Wifi/AllowWiFi + +
- + Wifi/AllowWiFiDirect + +
- + Wifi/WLANScanMode + +
- + WindowsDefenderSecurityCenter/CompanyName + +
- + WindowsDefenderSecurityCenter/DisableAppBrowserUI + +
- + WindowsDefenderSecurityCenter/DisableEnhancedNotifications + +
- + WindowsDefenderSecurityCenter/DisableFamilyUI + +
- + WindowsDefenderSecurityCenter/DisableHealthUI + +
- + WindowsDefenderSecurityCenter/DisableNetworkUI + +
- + WindowsDefenderSecurityCenter/DisableNotifications + +
- + WindowsDefenderSecurityCenter/DisableVirusUI + +
- + WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride + +
- + WindowsDefenderSecurityCenter/Email + +
- + WindowsDefenderSecurityCenter/EnableCustomizedToasts + +
- + WindowsDefenderSecurityCenter/EnableInAppCustomization + +
- + WindowsDefenderSecurityCenter/Phone + +
- + WindowsDefenderSecurityCenter/URL + +
- + WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace + +
- + WindowsInkWorkspace/AllowWindowsInkWorkspace + +
- + WindowsLogon/DisableLockScreenAppNotifications + +
- + WindowsLogon/DontDisplayNetworkSelectionUI + +
- + WindowsLogon/HideFastUserSwitching + +
- + WirelessDisplay/AllowProjectionFromPC + +
- + WirelessDisplay/AllowProjectionFromPCOverInfrastructure + +
- + WirelessDisplay/AllowProjectionToPC + +
- + WirelessDisplay/AllowProjectionToPCOverInfrastructure + +
- + WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver + +
- + WirelessDisplay/RequirePinForPairing + +
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details|
+|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
- File source data -- local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
- Kind of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
- Product ID, edition ID and product URI
- Offer details -- price
- Order requested date/time
- Store client type -- web or native client
- Purchase quantity and price
- Payment type -- credit card type and PayPal
- Service subscription status and errors
- DRM and license rights details -- Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline vs online) and duration
- License usage session
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
- OS component, app or driver publisher, language, version and type (Win32 or UWP)
- Install date, method, and install directory, count of install attempts
- MSI package code and product code
- Original OS version at install time
- User or administrator or mandatory installation/update
- Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
- Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, type
- Update download size and source -- CDN or LAN peers
- Delay upgrade status and configuration
- OS uninstall and rollback status and count
- Windows Update server and service URL
- Windows Update machine ID
- Windows Insider build details
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
- File source data -- local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Auto-completed text if there was an auto-complete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (which may include search terms)
- Page title
- Kind of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as names, email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results -- result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
- Product ID, edition ID and product URI
- Offer details -- price
- Order requested date/time
- Store client type -- web or native client
- Purchase quantity and price
- Payment type -- credit card type and PayPal
- Service subscription status and errors
- DRM and license rights details -- Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline vs online) and duration
- License usage session
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results -- result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
+ ## AboveLock policies +
-
+
**AboveLock/AllowActionCenterNotifications** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -60,6 +82,7 @@ ms.date: 08/30/2017 +
**AboveLock/AllowCortanaAboveLock** @@ -86,6 +109,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. @@ -96,6 +128,7 @@ ms.date: 08/30/2017 +
**AboveLock/AllowToasts** @@ -122,6 +155,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether to allow toast notifications above the device lock screen. diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index f2e678427b..cbec351d99 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Accounts @@ -14,11 +14,27 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Accounts policies +
-
+
**Accounts/AllowAddingNonMicrosoftAccountsManually** @@ -45,6 +61,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether user is allowed to add non-MSA email accounts. @@ -60,6 +85,7 @@ ms.date: 08/30/2017 +
**Accounts/AllowMicrosoftAccountConnection** @@ -86,6 +112,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. @@ -98,6 +133,7 @@ ms.date: 08/30/2017 +
**Accounts/AllowMicrosoftAccountSignInAssistant** @@ -124,6 +160,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. @@ -134,6 +179,7 @@ ms.date: 08/30/2017 +
**Accounts/DomainNamesForEmailSync** @@ -160,6 +206,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies a list of the domains that are allowed to sync email on the device. diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 755aeb5a2e..d01ca2a458 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ActiveXControls @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## ActiveXControls policies + + +
**ActiveXControls/ApprovedInstallationSites** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 838ad9fbc8..4e71e25975 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ApplicationDefaults @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## ApplicationDefaults policies + + +
**ApplicationDefaults/DefaultAssociationsConfiguration** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index db13ecc123..7953580ab4 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ApplicationManagement @@ -14,11 +14,48 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## ApplicationManagement policies +
-
+
**ApplicationManagement/AllowAllTrustedApps** @@ -45,6 +82,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether non Windows Store apps are allowed. @@ -58,6 +104,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/AllowAppStoreAutoUpdate** @@ -84,6 +131,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether automatic update of apps from Windows Store are allowed. @@ -96,6 +152,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/AllowDeveloperUnlock** @@ -122,6 +179,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether developer unlock is allowed. @@ -135,6 +201,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/AllowGameDVR** @@ -161,6 +228,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -176,6 +252,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/AllowSharedUserAppData** @@ -202,6 +279,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether multiple users of the same app can share data. @@ -214,6 +300,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/AllowStore** @@ -240,6 +327,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether app store is allowed at the device. @@ -252,6 +348,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/ApplicationRestrictions** @@ -278,6 +375,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -305,6 +411,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/DisableStoreOriginatedApps** @@ -331,6 +438,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded. @@ -341,6 +457,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/RequirePrivateStoreOnly** @@ -367,6 +484,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Allows disabling of the retail catalog and only enables the Private store. @@ -388,6 +514,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/RestrictAppDataToSystemVolume** @@ -414,6 +541,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether application data is restricted to the system drive. @@ -426,6 +562,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/RestrictAppToSystemVolume** @@ -452,6 +589,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether the installation of applications is restricted to the system drive. diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index e44fda0b34..512cbecf60 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - AppVirtualization @@ -14,11 +14,99 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## AppVirtualization policies +
-
+
**AppVirtualization/AllowAppVClient** @@ -45,6 +133,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. @@ -65,6 +162,7 @@ ADMX Info: +
**AppVirtualization/AllowDynamicVirtualization** @@ -91,6 +189,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. @@ -111,6 +218,7 @@ ADMX Info: +
**AppVirtualization/AllowPackageCleanup** @@ -137,6 +245,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. @@ -157,6 +274,7 @@ ADMX Info: +
**AppVirtualization/AllowPackageScripts** @@ -183,6 +301,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables scripts defined in the package manifest of configuration files that should run. @@ -203,6 +330,7 @@ ADMX Info: +
**AppVirtualization/AllowPublishingRefreshUX** @@ -229,6 +357,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables a UX to display to the user when a publishing refresh is performed on the client. @@ -249,6 +386,7 @@ ADMX Info: +
**AppVirtualization/AllowReportingServer** @@ -275,6 +413,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Reporting Server URL: Displays the URL of reporting server. @@ -305,6 +452,7 @@ ADMX Info: +
**AppVirtualization/AllowRoamingFileExclusions** @@ -331,6 +479,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. @@ -351,6 +508,7 @@ ADMX Info: +
**AppVirtualization/AllowRoamingRegistryExclusions** @@ -377,6 +535,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. @@ -397,6 +564,7 @@ ADMX Info: +
**AppVirtualization/AllowStreamingAutoload** @@ -423,6 +591,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies how new packages should be loaded automatically by App-V on a specific computer. @@ -443,6 +620,7 @@ ADMX Info: +
**AppVirtualization/ClientCoexistenceAllowMigrationmode** @@ -469,6 +647,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. @@ -489,6 +676,7 @@ ADMX Info: +
**AppVirtualization/IntegrationAllowRootGlobal** @@ -515,6 +703,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. @@ -535,6 +732,7 @@ ADMX Info: +
**AppVirtualization/IntegrationAllowRootUser** @@ -561,6 +759,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. @@ -581,6 +788,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer1** @@ -607,6 +815,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -645,6 +862,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer2** @@ -671,6 +889,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -709,6 +936,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer3** @@ -735,6 +963,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -773,6 +1010,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer4** @@ -799,6 +1037,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -837,6 +1084,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer5** @@ -863,6 +1111,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -901,6 +1158,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** @@ -927,6 +1185,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the path to a valid certificate in the certificate store. @@ -947,6 +1214,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowHighCostLaunch** @@ -973,6 +1241,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). @@ -993,6 +1270,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowLocationProvider** @@ -1019,6 +1297,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. @@ -1039,6 +1326,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowPackageInstallationRoot** @@ -1065,6 +1353,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies directory where all new applications and updates will be installed. @@ -1085,6 +1382,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowPackageSourceRoot** @@ -1111,6 +1409,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Overrides source location for downloading package content. @@ -1131,6 +1438,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowReestablishmentInterval** @@ -1157,6 +1465,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the number of seconds between attempts to reestablish a dropped session. @@ -1177,6 +1494,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowReestablishmentRetries** @@ -1203,6 +1521,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the number of times to retry a dropped session. @@ -1223,6 +1550,7 @@ ADMX Info: +
**AppVirtualization/StreamingSharedContentStoreMode** @@ -1249,6 +1577,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies that streamed package contents will be not be saved to the local hard disk. @@ -1269,6 +1606,7 @@ ADMX Info: +
**AppVirtualization/StreamingSupportBranchCache** @@ -1295,6 +1633,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache @@ -1315,6 +1662,7 @@ ADMX Info: +
**AppVirtualization/StreamingVerifyCertificateRevocationList** @@ -1341,6 +1689,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Verifies Server certificate revocation status before streaming using HTTPS. @@ -1361,6 +1718,7 @@ ADMX Info: +
**AppVirtualization/VirtualComponentsAllowList** @@ -1387,6 +1745,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 202f7f324a..19b60c53f6 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - AttachmentManager @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## AttachmentManager policies +
-
+
**AttachmentManager/DoNotPreserveZoneInformation** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. @@ -71,6 +93,7 @@ ADMX Info: +
**AttachmentManager/HideZoneInfoMechanism** @@ -97,6 +120,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. @@ -123,6 +155,7 @@ ADMX Info: +
**AttachmentManager/NotifyAntivirusPrograms** @@ -149,6 +182,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index fcc6506c15..d33bbd648c 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Authentication @@ -14,11 +14,73 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Authentication policies +
-
+
+ +**Authentication/AllowAadPasswordReset** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+ + + +
Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. + +
The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + +
**Authentication/AllowEAPCertSSO** @@ -45,11 +107,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -
Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. > [!IMPORTANT] @@ -66,6 +133,7 @@ ms.date: 08/30/2017 +
**Authentication/AllowFastReconnect** @@ -92,6 +160,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows EAP Fast Reconnect from being attempted for EAP Method TLS. @@ -104,6 +181,7 @@ ms.date: 08/30/2017 +
**Authentication/AllowSecondaryAuthenticationDevice** @@ -130,6 +208,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index daac26b55d..f63666cdc6 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Autoplay @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Autoplay policies +
-
+
**Autoplay/DisallowAutoplayForNonVolumeDevices** @@ -45,6 +58,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting disallows AutoPlay for MTP devices like cameras or phones. @@ -69,6 +92,7 @@ ADMX Info: +
**Autoplay/SetDefaultAutoRunBehavior** @@ -95,6 +119,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting sets the default behavior for Autorun commands. @@ -128,6 +162,7 @@ ADMX Info: +
**Autoplay/TurnOffAutoPlay** @@ -154,6 +189,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to turn off the Autoplay feature. diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 1220f63607..3d4c5bac81 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Bitlocker @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Bitlocker policies +
-
+
**Bitlocker/EncryptionMethod** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies the BitLocker Drive Encryption method and cipher strength. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 7bd2ea4992..d874f9ffa2 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Bluetooth @@ -14,11 +14,30 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Bluetooth policies +
-
+
**Bluetooth/AllowAdvertising** @@ -45,6 +64,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether the device can send out Bluetooth advertisements. @@ -59,6 +87,7 @@ ms.date: 08/30/2017 +
**Bluetooth/AllowDiscoverableMode** @@ -85,6 +114,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether other Bluetooth-enabled devices can discover the device. @@ -99,6 +137,7 @@ ms.date: 08/30/2017 +
**Bluetooth/AllowPrepairing** @@ -125,6 +164,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. @@ -135,6 +183,7 @@ ms.date: 08/30/2017 +
**Bluetooth/LocalDeviceName** @@ -161,6 +210,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Sets the local Bluetooth device name. @@ -170,6 +228,7 @@ ms.date: 08/30/2017 +
**Bluetooth/ServicesAllowedList** @@ -196,6 +255,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 82c992e8eb..2c7f399858 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Browser @@ -14,11 +14,123 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Browser policies +
-
+
**Browser/AllowAddressBarDropdown** @@ -45,6 +157,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. @@ -60,6 +182,7 @@ ms.date: 08/30/2017 +
**Browser/AllowAutofill** @@ -86,6 +209,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether autofill on websites is allowed. @@ -105,6 +238,7 @@ ms.date: 08/30/2017 +
**Browser/AllowBrowser** @@ -131,6 +265,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -149,6 +293,7 @@ ms.date: 08/30/2017 +
**Browser/AllowCookies** @@ -175,6 +320,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether cookies are allowed. @@ -194,6 +349,7 @@ ms.date: 08/30/2017 +
**Browser/AllowDeveloperTools** @@ -220,6 +376,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -236,6 +402,7 @@ ms.date: 08/30/2017 +
**Browser/AllowDoNotTrack** @@ -262,6 +429,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether Do Not Track headers are allowed. @@ -281,6 +458,7 @@ ms.date: 08/30/2017 +
**Browser/AllowExtensions** @@ -307,6 +485,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. @@ -317,6 +505,7 @@ ms.date: 08/30/2017 +
**Browser/AllowFlash** @@ -343,6 +532,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. @@ -353,6 +552,7 @@ ms.date: 08/30/2017 +
**Browser/AllowFlashClickToRun** @@ -379,6 +579,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. @@ -389,6 +599,7 @@ ms.date: 08/30/2017 +
**Browser/AllowInPrivate** @@ -415,6 +626,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether InPrivate browsing is allowed on corporate networks. @@ -427,6 +648,7 @@ ms.date: 08/30/2017 +
**Browser/AllowMicrosoftCompatibilityList** @@ -453,6 +675,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". @@ -468,6 +700,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +
**Browser/AllowPasswordManager** @@ -494,6 +727,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether saving and managing passwords locally on the device is allowed. @@ -513,6 +756,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +
**Browser/AllowPopups** @@ -539,6 +783,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether pop-up blocker is allowed or enabled. @@ -558,6 +812,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +
**Browser/AllowSearchEngineCustomization** @@ -584,6 +839,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine. @@ -598,6 +863,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +
**Browser/AllowSearchSuggestionsinAddressBar** @@ -624,6 +890,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether search suggestions are allowed in the address bar. @@ -636,6 +912,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +
**Browser/AllowSmartScreen** @@ -662,6 +939,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether Windows Defender SmartScreen is allowed. @@ -681,9 +968,20 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +
**Browser/AlwaysEnableBooksLibrary** + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
@@ -691,6 +989,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +
**Browser/ClearBrowsingDataOnExit** @@ -717,6 +1016,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. @@ -735,6 +1044,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +
**Browser/ConfigureAdditionalSearchEngines** @@ -761,6 +1071,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices. @@ -781,6 +1101,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/DisableLockdownOfStartPages** @@ -807,6 +1128,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect. @@ -825,6 +1156,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/EnterpriseModeSiteList** @@ -851,6 +1183,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -865,6 +1207,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/EnterpriseSiteListServiceUrl** @@ -891,12 +1234,23 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!IMPORTANT] > This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). +
**Browser/FirstRunURL** @@ -923,6 +1277,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -936,6 +1300,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/HomePages** @@ -962,6 +1327,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -977,6 +1352,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/LockdownFavorites** @@ -1003,6 +1379,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. @@ -1022,6 +1408,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/PreventAccessToAboutFlagsInMicrosoftEdge** @@ -1048,6 +1435,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -1058,6 +1455,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/PreventFirstRunPage** @@ -1084,6 +1482,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. @@ -1096,6 +1504,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/PreventLiveTileDataCollection** @@ -1122,6 +1531,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. @@ -1134,6 +1553,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/PreventSmartScreenPromptOverride** @@ -1160,6 +1580,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. @@ -1172,6 +1602,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/PreventSmartScreenPromptOverrideForFiles** @@ -1198,6 +1629,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. @@ -1208,6 +1649,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/PreventUsingLocalHostIPAddressForWebRTC** @@ -1234,6 +1676,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1248,6 +1700,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/ProvisionFavorites** @@ -1274,6 +1727,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines. @@ -1292,6 +1755,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/SendIntranetTraffictoInternetExplorer** @@ -1318,6 +1782,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1334,6 +1808,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/SetDefaultSearchEngine** @@ -1360,6 +1835,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. @@ -1379,6 +1864,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/ShowMessageWhenOpeningSitesInInternetExplorer** @@ -1405,6 +1891,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1421,6 +1917,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** @@ -1447,6 +1944,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index ca7b98ecc5..ce33fa4faa 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Camera @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Camera policies +
-
+
**Camera/AllowCamera** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Disables or enables the camera. diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index b1c206e118..183748ec41 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Cellular @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Cellular policies +
-
+
**Cellular/ShowAppCellularAccessUI** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 5ffa503ab6..415ebf1eac 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Connectivity @@ -14,11 +14,54 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Connectivity policies +
-
+
**Connectivity/AllowBluetooth** @@ -45,6 +88,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows the user to enable Bluetooth or restrict access. @@ -64,6 +116,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowCellularData** @@ -90,6 +143,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. @@ -101,6 +163,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowCellularDataRoaming** @@ -127,6 +190,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. @@ -148,6 +220,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowConnectedDevices** @@ -174,6 +247,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -187,6 +269,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowNFC** @@ -213,6 +296,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -229,6 +321,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowUSBConnection** @@ -255,6 +348,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -273,6 +375,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowVPNOverCellular** @@ -299,6 +402,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies what type of underlying connections VPN is allowed to use. @@ -311,6 +423,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowVPNRoamingOverCellular** @@ -337,6 +450,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Prevents the device from connecting to VPN when the device roams over cellular networks. @@ -349,6 +471,7 @@ ms.date: 08/30/2017 +
**Connectivity/DiablePrintingOverHTTP** @@ -375,6 +498,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -393,6 +525,7 @@ ADMX Info: +
**Connectivity/DisableDownloadingOfPrintDriversOverHTTP** @@ -419,6 +552,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -437,6 +579,7 @@ ADMX Info: +
**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards** @@ -463,6 +606,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -481,6 +633,7 @@ ADMX Info: +
**Connectivity/HardenedUNCPaths** @@ -507,6 +660,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting configures secure access to UNC paths. @@ -529,6 +691,7 @@ ADMX Info: +
**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge** @@ -555,6 +718,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index e253febdf8..5274de917b 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - CredentialProviders @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## CredentialProviders policies +
-
+
**CredentialProviders/AllowPINLogon** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to control whether a domain user can sign in using a convenience PIN. @@ -73,6 +95,7 @@ ADMX Info: +
**CredentialProviders/BlockPicturePassword** @@ -99,6 +122,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to control whether a domain user can sign in using a picture password. @@ -125,6 +157,7 @@ ADMX Info: +
**CredentialProviders/DisableAutomaticReDeploymentCredentials** @@ -151,6 +184,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 15d68cf69e..1b7955f4e5 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - CredentialsUI @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## CredentialsUI policies + + +
**CredentialsUI/DisablePasswordReveal** @@ -45,6 +55,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to configure the display of the password reveal button in password entry user experiences. @@ -73,6 +93,7 @@ ADMX Info: +
**CredentialsUI/EnumerateAdministrators** @@ -99,6 +120,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index eef7cdeba4..9c5f328c19 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Cryptography @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Cryptography policies + + +
**Cryptography/AllowFipsAlgorithmPolicy** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows or disallows the Federal Information Processing Standard (FIPS) policy. @@ -55,6 +74,7 @@ ms.date: 08/30/2017 +
**Cryptography/TLSCipherSuites** @@ -81,6 +101,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index edba750722..1261f2c311 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DataProtection @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## DataProtection policies + + +
**DataProtection/AllowDirectMemoryAccess** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. @@ -57,6 +76,7 @@ ms.date: 08/30/2017 +
**DataProtection/LegacySelectiveWipeID** @@ -83,6 +103,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!IMPORTANT] > This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index a8724cc2f6..540a7d26a6 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DataUsage @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## DataUsage policies +
-
+
**DataUsage/SetCost3G** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting configures the cost of 3G connections on the local machine. @@ -75,6 +94,7 @@ ADMX Info: +
**DataUsage/SetCost4G** @@ -101,6 +121,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting configures the cost of 4G connections on the local machine. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 3f35e2d4eb..9d75a9f6fa 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Defender @@ -14,11 +14,120 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Defender policies +
-
+
**Defender/AllowArchiveScanning** @@ -45,6 +154,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -59,6 +177,7 @@ ms.date: 08/30/2017 +
**Defender/AllowBehaviorMonitoring** @@ -85,6 +204,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -99,6 +227,7 @@ ms.date: 08/30/2017 +
**Defender/AllowCloudProtection** @@ -125,6 +254,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -139,6 +277,7 @@ ms.date: 08/30/2017 +
**Defender/AllowEmailScanning** @@ -165,6 +304,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -179,6 +327,7 @@ ms.date: 08/30/2017 +
**Defender/AllowFullScanOnMappedNetworkDrives** @@ -205,6 +354,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -219,6 +377,7 @@ ms.date: 08/30/2017 +
**Defender/AllowFullScanRemovableDriveScanning** @@ -245,6 +404,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -259,6 +427,7 @@ ms.date: 08/30/2017 +
**Defender/AllowIOAVProtection** @@ -285,6 +454,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -299,6 +477,7 @@ ms.date: 08/30/2017 +
**Defender/AllowIntrusionPreventionSystem** @@ -325,6 +504,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -339,6 +527,7 @@ ms.date: 08/30/2017 +
**Defender/AllowOnAccessProtection** @@ -365,6 +554,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -379,6 +577,7 @@ ms.date: 08/30/2017 +
**Defender/AllowRealtimeMonitoring** @@ -405,6 +604,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -419,6 +627,7 @@ ms.date: 08/30/2017 +
**Defender/AllowScanningNetworkFiles** @@ -445,6 +654,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -459,6 +677,7 @@ ms.date: 08/30/2017 +
**Defender/AllowScriptScanning** @@ -485,6 +704,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -499,6 +727,7 @@ ms.date: 08/30/2017 +
**Defender/AllowUserUIAccess** @@ -525,6 +754,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -539,6 +777,7 @@ ms.date: 08/30/2017 +
**Defender/AttackSurfaceReductionOnlyExclusions** @@ -565,6 +804,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -576,6 +824,7 @@ ms.date: 08/30/2017 +
**Defender/AttackSurfaceReductionRules** @@ -602,6 +851,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -615,6 +873,7 @@ ms.date: 08/30/2017 +
**Defender/AvgCPULoadFactor** @@ -641,6 +900,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -654,6 +922,7 @@ ms.date: 08/30/2017 +
**Defender/CloudBlockLevel** @@ -680,6 +949,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -703,6 +981,7 @@ ms.date: 08/30/2017 +
**Defender/CloudExtendedTimeout** @@ -729,6 +1008,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -744,6 +1032,7 @@ ms.date: 08/30/2017 +
**Defender/ControlledFolderAccessAllowedApplications** @@ -770,6 +1059,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. @@ -778,6 +1076,7 @@ ms.date: 08/30/2017 +
**Defender/ControlledFolderAccessProtectedFolders** @@ -804,6 +1103,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. @@ -812,6 +1120,7 @@ ms.date: 08/30/2017 +
**Defender/DaysToRetainCleanedMalware** @@ -838,6 +1147,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -851,6 +1169,7 @@ ms.date: 08/30/2017 +
**Defender/EnableControlledFolderAccess** @@ -877,6 +1196,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. @@ -889,6 +1217,7 @@ ms.date: 08/30/2017 +
**Defender/EnableNetworkProtection** @@ -915,6 +1244,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -935,6 +1273,7 @@ ms.date: 08/30/2017 +
**Defender/ExcludedExtensions** @@ -961,6 +1300,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -970,6 +1318,7 @@ ms.date: 08/30/2017 +
**Defender/ExcludedPaths** @@ -996,6 +1345,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1005,6 +1363,7 @@ ms.date: 08/30/2017 +
**Defender/ExcludedProcesses** @@ -1031,6 +1390,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1046,6 +1414,7 @@ ms.date: 08/30/2017 +
**Defender/PUAProtection** @@ -1072,6 +1441,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1087,6 +1465,7 @@ ms.date: 08/30/2017 +
**Defender/RealTimeScanDirection** @@ -1113,6 +1492,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1132,6 +1520,7 @@ ms.date: 08/30/2017 +
**Defender/ScanParameter** @@ -1158,6 +1547,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1172,6 +1570,7 @@ ms.date: 08/30/2017 +
**Defender/ScheduleQuickScanTime** @@ -1198,6 +1597,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1217,6 +1625,7 @@ ms.date: 08/30/2017 +
**Defender/ScheduleScanDay** @@ -1243,6 +1652,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1268,6 +1686,7 @@ ms.date: 08/30/2017 +
**Defender/ScheduleScanTime** @@ -1294,6 +1713,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1313,6 +1741,7 @@ ms.date: 08/30/2017 +
**Defender/SignatureUpdateInterval** @@ -1339,6 +1768,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1354,6 +1792,7 @@ ms.date: 08/30/2017 +
**Defender/SubmitSamplesConsent** @@ -1380,6 +1819,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1396,6 +1844,7 @@ ms.date: 08/30/2017 +
**Defender/ThreatSeverityDefaultAction** @@ -1422,6 +1871,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index e352718a5d..f001c4ea3e 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeliveryOptimization @@ -14,11 +14,63 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## DeliveryOptimization policies +
-
+
**DeliveryOptimization/DOAbsoluteMaxCacheSize** @@ -45,6 +97,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -56,6 +117,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOAllowVPNPeerCaching** @@ -82,6 +144,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -93,6 +164,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DODownloadMode** @@ -119,6 +191,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -137,6 +218,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOGroupId** @@ -163,6 +245,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -175,6 +266,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMaxCacheAge** @@ -201,6 +293,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -212,6 +313,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMaxCacheSize** @@ -238,6 +340,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -249,6 +360,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMaxDownloadBandwidth** @@ -275,6 +387,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -286,6 +407,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMaxUploadBandwidth** @@ -312,6 +434,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -323,6 +454,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinBackgroundQos** @@ -349,6 +481,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -360,6 +501,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** @@ -386,6 +528,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -396,6 +547,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinDiskSizeAllowedToPeer** @@ -422,6 +574,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -436,6 +597,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinFileSizeToCache** @@ -462,6 +624,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -473,6 +644,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinRAMAllowedToPeer** @@ -499,6 +671,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -510,6 +691,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOModifyCacheDrive** @@ -536,6 +718,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -547,6 +738,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMonthlyUploadDataCap** @@ -573,6 +765,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -586,6 +787,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOPercentageMaxDownloadBandwidth** @@ -612,6 +814,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 8a3b89d0f5..8d89bebfb5 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Desktop @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Desktop policies + + +
**Desktop/PreventUserRedirectionOfProfileFolders** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + Prevents users from changing the path to their profile folders. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index df77a218e7..b45125a146 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeviceGuard @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## DeviceGuard policies +
-
+
**DeviceGuard/EnableVirtualizationBasedSecurity** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values: @@ -55,6 +77,7 @@ ms.date: 08/30/2017 +
**DeviceGuard/LsaCfgFlags** @@ -81,6 +104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values: @@ -93,6 +125,7 @@ ms.date: 08/30/2017 +
**DeviceGuard/RequirePlatformSecurityFeatures** @@ -119,6 +152,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
-
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 4b04c4567d..c57bc0a0a1 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - DeviceInstallation
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+ ## DeviceInstallation policies +
-
+
**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. @@ -69,6 +88,7 @@ ADMX Info: +
**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** @@ -95,6 +115,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index dcfc34f488..4767db8c6f 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeviceLock @@ -14,11 +14,63 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## DeviceLock policies +
-
+
**DeviceLock/AllowIdleReturnWithoutPassword** @@ -45,6 +97,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -63,6 +124,7 @@ ms.date: 08/30/2017 +
**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** @@ -89,6 +151,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -110,6 +181,7 @@ ms.date: 08/30/2017 +
**DeviceLock/AllowSimpleDevicePassword** @@ -136,6 +208,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. @@ -152,6 +233,7 @@ ms.date: 08/30/2017 +
**DeviceLock/AlphanumericDevicePasswordRequired** @@ -178,6 +260,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). @@ -202,6 +293,7 @@ ms.date: 08/30/2017 +
**DeviceLock/DevicePasswordEnabled** @@ -228,6 +320,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether device lock is enabled. @@ -278,6 +379,7 @@ ms.date: 08/30/2017 +
**DeviceLock/DevicePasswordExpiration** @@ -304,6 +406,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies when the password expires (in days). @@ -322,6 +433,7 @@ ms.date: 08/30/2017 +
**DeviceLock/DevicePasswordHistory** @@ -348,6 +460,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies how many passwords can be stored in the history that can’t be used. @@ -368,6 +489,7 @@ ms.date: 08/30/2017 +
**DeviceLock/EnforceLockScreenAndLogonImage** @@ -394,6 +516,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. @@ -405,6 +536,7 @@ ms.date: 08/30/2017 +
**DeviceLock/EnforceLockScreenProvider** @@ -431,6 +563,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. @@ -442,6 +583,7 @@ ms.date: 08/30/2017 +
**DeviceLock/MaxDevicePasswordFailedAttempts** @@ -468,6 +610,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. @@ -493,6 +644,7 @@ The number of authentication failures allowed before the device will be wiped. A +
**DeviceLock/MaxInactivityTimeDeviceLock** @@ -519,6 +671,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. @@ -535,6 +696,7 @@ The number of authentication failures allowed before the device will be wiped. A +
**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** @@ -561,6 +723,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. @@ -575,6 +746,7 @@ The number of authentication failures allowed before the device will be wiped. A +
**DeviceLock/MinDevicePasswordComplexCharacters** @@ -601,6 +773,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. @@ -677,6 +858,7 @@ The number of authentication failures allowed before the device will be wiped. A +
**DeviceLock/MinDevicePasswordLength** @@ -703,6 +885,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies the minimum number or characters required in the PIN or password. @@ -724,6 +915,7 @@ The number of authentication failures allowed before the device will be wiped. A +
**DeviceLock/PreventLockScreenSlideShow** @@ -750,6 +942,15 @@ The number of authentication failures allowed before the device will be wiped. A + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. @@ -774,6 +975,7 @@ ADMX Info: +
**DeviceLock/ScreenTimeoutWhileLocked** @@ -800,6 +1002,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 7af8189ba0..43c616c9a7 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Display @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Display policies + + +
**Display/TurnOffGdiDPIScalingForApps** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. @@ -63,6 +82,7 @@ ms.date: 08/30/2017 +
**Display/TurnOnGdiDPIScalingForApps** @@ -89,6 +109,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 6be666c341..dcb33c8647 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Education @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Education policies +
-
+
**Education/DefaultPrinterName** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer. @@ -52,6 +74,7 @@ The policy value is expected to be the name (network host name) of an installed +
**Education/PreventAddingNewPrinters** @@ -78,6 +101,15 @@ The policy value is expected to be the name (network host name) of an installed + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings. @@ -88,6 +120,7 @@ The following list shows the supported values: +
**Education/PrinterNames** @@ -114,6 +147,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names). diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index c11c6d066d..6f3068b82d 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - EnterpriseCloudPrint @@ -14,11 +14,33 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## EnterpriseCloudPrint policies +
-
+
**EnterpriseCloudPrint/CloudPrintOAuthAuthority** @@ -45,6 +67,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. @@ -54,6 +85,7 @@ ms.date: 08/30/2017 +
**EnterpriseCloudPrint/CloudPrintOAuthClientId** @@ -80,6 +112,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. @@ -89,6 +130,7 @@ ms.date: 08/30/2017 +
**EnterpriseCloudPrint/CloudPrintResourceId** @@ -115,6 +157,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. @@ -124,6 +175,7 @@ ms.date: 08/30/2017 +
**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** @@ -150,6 +202,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. @@ -159,6 +220,7 @@ ms.date: 08/30/2017 +
**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** @@ -185,6 +247,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. @@ -194,6 +265,7 @@ ms.date: 08/30/2017 +
**EnterpriseCloudPrint/MopriaDiscoveryResourceId** @@ -220,6 +292,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 98c03c6579..c86f76ed58 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ErrorReporting @@ -14,11 +14,30 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## ErrorReporting policies +
-
+
**ErrorReporting/CustomizeConsentSettings** @@ -45,6 +64,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting determines the consent behavior of Windows Error Reporting for specific event types. @@ -79,6 +107,7 @@ ADMX Info: +
**ErrorReporting/DisableWindowsErrorReporting** @@ -105,6 +134,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. @@ -129,6 +167,7 @@ ADMX Info: +
**ErrorReporting/DisplayErrorNotification** @@ -155,6 +194,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls whether users are shown an error dialog box that lets them report an error. @@ -183,6 +231,7 @@ ADMX Info: +
**ErrorReporting/DoNotSendAdditionalData** @@ -209,6 +258,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. @@ -233,6 +291,7 @@ ADMX Info: +
**ErrorReporting/PreventCriticalErrorDisplay** @@ -259,6 +318,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting prevents the display of the user interface for critical errors. diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index a73f5c2b18..60434439fa 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - EventLogService @@ -14,11 +14,27 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## EventLogService policies +
-
+
**EventLogService/ControlEventLogBehavior** @@ -45,6 +61,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls Event Log behavior when the log file reaches its maximum size. @@ -71,6 +96,7 @@ ADMX Info: +
**EventLogService/SpecifyMaximumFileSizeApplicationLog** @@ -97,6 +123,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting specifies the maximum size of the log file in kilobytes. @@ -121,6 +156,7 @@ ADMX Info: +
**EventLogService/SpecifyMaximumFileSizeSecurityLog** @@ -147,6 +183,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting specifies the maximum size of the log file in kilobytes. @@ -171,6 +216,7 @@ ADMX Info: +
**EventLogService/SpecifyMaximumFileSizeSystemLog** @@ -197,6 +243,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting specifies the maximum size of the log file in kilobytes. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index b5e7a8bfe2..4dfcea0e83 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Experience @@ -14,11 +14,72 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Experience policies +
-
+
**Experience/AllowCopyPaste** @@ -45,6 +106,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -60,6 +130,7 @@ ms.date: 08/30/2017 +
**Experience/AllowCortana** @@ -86,6 +157,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. @@ -106,6 +186,7 @@ ms.date: 08/30/2017 +
**Experience/AllowDeviceDiscovery** @@ -132,6 +213,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows users to turn on/off device discovery UX. @@ -146,6 +236,7 @@ ms.date: 08/30/2017 +
**Experience/AllowFindMyDevice** @@ -172,6 +263,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy turns on Find My Device. @@ -186,6 +286,7 @@ ms.date: 08/30/2017 +
**Experience/AllowManualMDMUnenrollment** @@ -212,6 +313,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether to allow the user to delete the workplace account using the workplace control panel. @@ -228,6 +338,7 @@ ms.date: 08/30/2017 +
**Experience/AllowSIMErrorDialogPromptWhenNoSIM** @@ -254,6 +365,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -268,6 +388,7 @@ ms.date: 08/30/2017 +
**Experience/AllowScreenCapture** @@ -294,6 +415,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -310,6 +440,7 @@ ms.date: 08/30/2017 +
**Experience/AllowSyncMySettings** @@ -336,6 +467,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). @@ -346,6 +486,7 @@ ms.date: 08/30/2017 +
**Experience/AllowTailoredExperiencesWithDiagnosticData** @@ -372,6 +513,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -391,6 +541,7 @@ ms.date: 08/30/2017 +
**Experience/AllowTaskSwitcher** @@ -417,6 +568,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -431,6 +591,7 @@ ms.date: 08/30/2017 +
**Experience/AllowThirdPartySuggestionsInWindowsSpotlight** @@ -457,6 +618,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + > [!NOTE] > This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. @@ -471,6 +641,7 @@ ms.date: 08/30/2017 +
**Experience/AllowVoiceRecording** @@ -497,6 +668,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -513,6 +693,7 @@ ms.date: 08/30/2017 +
**Experience/AllowWindowsConsumerFeatures** @@ -539,6 +720,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -562,6 +752,7 @@ ms.date: 08/30/2017 +
**Experience/AllowWindowsSpotlight** @@ -588,6 +779,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. @@ -604,6 +804,7 @@ ms.date: 08/30/2017 +
**Experience/AllowWindowsSpotlightOnActionCenter** @@ -630,6 +831,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -645,6 +855,7 @@ ms.date: 08/30/2017 +
**Experience/AllowWindowsSpotlightWindowsWelcomeExperience** @@ -671,6 +882,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -687,6 +907,7 @@ The Windows welcome experience feature introduces onboard users to Windows; for +
**Experience/AllowWindowsTips** @@ -713,6 +934,15 @@ The Windows welcome experience feature introduces onboard users to Windows; for + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables or disables Windows Tips / soft landing. @@ -723,6 +953,7 @@ Enables or disables Windows Tips / soft landing. +
**Experience/ConfigureWindowsSpotlightOnLockScreen** @@ -749,6 +980,15 @@ Enables or disables Windows Tips / soft landing. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. @@ -764,6 +1004,7 @@ Enables or disables Windows Tips / soft landing. +
**Experience/DoNotShowFeedbackNotifications** @@ -790,6 +1031,15 @@ Enables or disables Windows Tips / soft landing. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Prevents devices from showing feedback questions from Microsoft. diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 292dfa31bc..f408206e83 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ExploitGuard @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## ExploitGuard policies + + +
**ExploitGuard/ExploitProtectionSettings** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index f6fc32cc9f..868f23aa8e 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/31/2017 +ms.date: 09/29/2017 --- # Policy CSP - Games @@ -14,11 +14,18 @@ ms.date: 08/31/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Games policies + + +
**Games/AllowAdvancedGamingServices** @@ -45,6 +52,15 @@ ms.date: 08/31/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer. @@ -52,6 +68,7 @@ ms.date: 08/31/2017 - 1 (default) - Allowed
This policy can only be turned off in Windows 10 Education and Enterprise editions. +
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md new file mode 100644 index 0000000000..e00909e922 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -0,0 +1,89 @@ +--- +title: Policy CSP - Handwriting +description: Policy CSP - Handwriting +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 09/29/2017 +--- + +# Policy CSP - Handwriting + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +
+ + +## Handwriting policies + + + +
+ +**Handwriting/PanelDefaultModeDocked** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+ + + +
Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel. + +
The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen. + +
In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction. + +
The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way. + +
-
+
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 7be92bcfc1..1a97e52c6c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - InternetExplorer @@ -14,11 +14,771 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## InternetExplorer policies +
-
+
**InternetExplorer/AddSearchProvider** @@ -45,6 +805,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. @@ -69,6 +839,7 @@ ADMX Info: +
**InternetExplorer/AllowActiveXFiltering** @@ -95,6 +866,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. @@ -119,6 +900,7 @@ ADMX Info: +
**InternetExplorer/AllowAddOnList** @@ -145,6 +927,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. @@ -175,6 +967,7 @@ ADMX Info: +
**InternetExplorer/AllowAutoComplete** @@ -201,6 +994,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + > [!TIP] @@ -219,6 +1021,7 @@ ADMX Info: +
**InternetExplorer/AllowCertificateAddressMismatchWarning** @@ -245,6 +1048,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -263,6 +1076,7 @@ ADMX Info: +
**InternetExplorer/AllowDeletingBrowsingHistoryOnExit** @@ -289,6 +1103,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -307,6 +1131,7 @@ ADMX Info: +
**InternetExplorer/AllowEnhancedProtectedMode** @@ -333,6 +1158,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. @@ -359,6 +1194,7 @@ ADMX Info: +
**InternetExplorer/AllowEnterpriseModeFromToolsMenu** @@ -385,6 +1221,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. @@ -409,6 +1255,7 @@ ADMX Info: +
**InternetExplorer/AllowEnterpriseModeSiteList** @@ -435,6 +1282,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. @@ -459,6 +1316,7 @@ ADMX Info: +
**InternetExplorer/AllowFallbackToSSL3** @@ -485,6 +1343,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -503,6 +1370,7 @@ ADMX Info: +
**InternetExplorer/AllowInternetExplorer7PolicyList** @@ -529,6 +1397,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. @@ -553,6 +1431,7 @@ ADMX Info: +
**InternetExplorer/AllowInternetExplorerStandardsMode** @@ -579,6 +1458,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. @@ -605,6 +1494,7 @@ ADMX Info: +
**InternetExplorer/AllowInternetZoneTemplate** @@ -631,6 +1521,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -661,6 +1561,7 @@ ADMX Info: +
**InternetExplorer/AllowIntranetZoneTemplate** @@ -687,6 +1588,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -717,6 +1628,7 @@ ADMX Info: +
**InternetExplorer/AllowLocalMachineZoneTemplate** @@ -743,6 +1655,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -773,6 +1695,7 @@ ADMX Info: +
**InternetExplorer/AllowLockedDownInternetZoneTemplate** @@ -799,6 +1722,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -829,6 +1762,7 @@ ADMX Info: +
**InternetExplorer/AllowLockedDownIntranetZoneTemplate** @@ -855,6 +1789,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -885,6 +1829,7 @@ ADMX Info: +
**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** @@ -911,6 +1856,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -941,6 +1896,7 @@ ADMX Info: +
**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** @@ -967,6 +1923,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -997,6 +1963,7 @@ ADMX Info: +
**InternetExplorer/AllowOneWordEntry** @@ -1023,6 +1990,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. @@ -1047,6 +2024,7 @@ ADMX Info: +
**InternetExplorer/AllowSiteToZoneAssignmentList** @@ -1073,6 +2051,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. @@ -1103,6 +2091,7 @@ ADMX Info: +
**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid** @@ -1129,6 +2118,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -1147,6 +2146,7 @@ ADMX Info: +
**InternetExplorer/AllowSuggestedSites** @@ -1173,6 +2173,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit. @@ -1199,6 +2209,7 @@ ADMX Info: +
**InternetExplorer/AllowTrustedSitesZoneTemplate** @@ -1225,6 +2236,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -1255,6 +2276,7 @@ ADMX Info: +
**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** @@ -1281,6 +2303,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -1311,6 +2343,7 @@ ADMX Info: +
**InternetExplorer/AllowsRestrictedSitesZoneTemplate** @@ -1337,6 +2370,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. @@ -1367,6 +2410,7 @@ ADMX Info: +
**InternetExplorer/CheckServerCertificateRevocation** @@ -1393,6 +2437,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -1411,6 +2465,7 @@ ADMX Info: +
**InternetExplorer/CheckSignaturesOnDownloadedPrograms** @@ -1437,6 +2492,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -1455,6 +2520,7 @@ ADMX Info: +
**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses** @@ -1481,6 +2547,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -1499,6 +2575,7 @@ ADMX Info: +
**InternetExplorer/DisableAdobeFlash** @@ -1525,6 +2602,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. @@ -1551,6 +2638,7 @@ ADMX Info: +
**InternetExplorer/DisableBlockingOfOutdatedActiveXControls** @@ -1577,6 +2665,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -1595,6 +2693,7 @@ ADMX Info: +
**InternetExplorer/DisableBypassOfSmartScreenWarnings** @@ -1621,6 +2720,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. @@ -1645,6 +2754,7 @@ ADMX Info: +
**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles** @@ -1671,6 +2781,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. @@ -1695,6 +2815,7 @@ ADMX Info: +
**InternetExplorer/DisableConfiguringHistory** @@ -1721,6 +2842,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -1739,6 +2870,7 @@ ADMX Info: +
**InternetExplorer/DisableCrashDetection** @@ -1765,6 +2897,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -1783,6 +2925,7 @@ ADMX Info: +
**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** @@ -1809,6 +2952,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). @@ -1835,6 +2988,7 @@ ADMX Info: +
**InternetExplorer/DisableDeletingUserVisitedWebsites** @@ -1861,6 +3015,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -1879,6 +3043,7 @@ ADMX Info: +
**InternetExplorer/DisableEnclosureDownloading** @@ -1905,6 +3070,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. @@ -1929,6 +3104,7 @@ ADMX Info: +
**InternetExplorer/DisableEncryptionSupport** @@ -1955,6 +3131,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match. @@ -1981,6 +3167,7 @@ ADMX Info: +
**InternetExplorer/DisableFirstRunWizard** @@ -2007,6 +3194,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. @@ -2035,6 +3232,7 @@ ADMX Info: +
**InternetExplorer/DisableFlipAheadFeature** @@ -2061,6 +3259,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. @@ -2089,6 +3297,7 @@ ADMX Info: +
**InternetExplorer/DisableHomePageChange** @@ -2115,6 +3324,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. @@ -2139,6 +3357,7 @@ ADMX Info: +
**InternetExplorer/DisableIgnoringCertificateErrors** @@ -2165,6 +3384,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -2183,6 +3412,7 @@ ADMX Info: +
**InternetExplorer/DisableInPrivateBrowsing** @@ -2209,6 +3439,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -2227,6 +3467,7 @@ ADMX Info: +
**InternetExplorer/DisableProcessesInEnhancedProtectedMode** @@ -2253,6 +3494,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -2271,6 +3522,7 @@ ADMX Info: +
**InternetExplorer/DisableProxyChange** @@ -2297,6 +3549,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting specifies if a user can change proxy settings. @@ -2321,6 +3583,7 @@ ADMX Info: +
**InternetExplorer/DisableSearchProviderChange** @@ -2347,6 +3610,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. @@ -2371,6 +3644,7 @@ ADMX Info: +
**InternetExplorer/DisableSecondaryHomePageChange** @@ -2397,6 +3671,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. @@ -2423,6 +3707,7 @@ ADMX Info: +
**InternetExplorer/DisableSecuritySettingsCheck** @@ -2449,6 +3734,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -2467,6 +3762,7 @@ ADMX Info: +
**InternetExplorer/DisableUpdateCheck** @@ -2493,6 +3789,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Prevents Internet Explorer from checking whether a new version of the browser is available. @@ -2519,6 +3824,7 @@ ADMX Info: +
**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode** @@ -2545,6 +3851,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -2563,6 +3879,7 @@ ADMX Info: +
**InternetExplorer/DoNotAllowUsersToAddSites** @@ -2589,6 +3906,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. @@ -2619,6 +3945,7 @@ ADMX Info: +
**InternetExplorer/DoNotAllowUsersToChangePolicies** @@ -2645,6 +3972,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. @@ -2675,6 +4011,7 @@ ADMX Info: +
**InternetExplorer/DoNotBlockOutdatedActiveXControls** @@ -2701,6 +4038,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. @@ -2727,6 +4074,7 @@ ADMX Info: +
**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** @@ -2753,6 +4101,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. @@ -2783,6 +4141,7 @@ ADMX Info: +
**InternetExplorer/IncludeAllLocalSites** @@ -2809,6 +4168,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. @@ -2835,6 +4204,7 @@ ADMX Info: +
**InternetExplorer/IncludeAllNetworkPaths** @@ -2861,6 +4231,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. @@ -2887,6 +4267,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowAccessToDataSources** @@ -2913,6 +4294,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -2939,6 +4330,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** @@ -2965,6 +4357,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -2991,6 +4393,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** @@ -3017,6 +4420,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -3041,6 +4454,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowCopyPasteViaScript** @@ -3067,6 +4481,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3085,6 +4509,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles** @@ -3111,6 +4536,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3129,6 +4564,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowFontDownloads** @@ -3155,6 +4591,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -3181,6 +4627,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowLessPrivilegedSites** @@ -3207,6 +4654,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. @@ -3233,6 +4690,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles** @@ -3259,6 +4717,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3277,6 +4745,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** @@ -3303,6 +4772,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -3329,6 +4808,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls** @@ -3355,6 +4835,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3373,6 +4863,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** @@ -3399,6 +4890,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3417,6 +4918,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowScriptInitiatedWindows** @@ -3443,6 +4945,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3461,6 +4973,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls** @@ -3487,6 +5000,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3505,6 +5028,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowScriptlets** @@ -3531,6 +5055,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -3557,6 +5091,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowSmartScreenIE** @@ -3583,6 +5118,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -3611,6 +5156,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript** @@ -3637,6 +5183,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3655,6 +5211,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneAllowUserDataPersistence** @@ -3681,6 +5238,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -3707,6 +5274,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -3733,6 +5301,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3751,6 +5329,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneDownloadSignedActiveXControls** @@ -3777,6 +5356,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3795,6 +5384,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls** @@ -3821,6 +5411,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3839,6 +5439,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter** @@ -3865,6 +5466,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3883,6 +5494,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** @@ -3909,6 +5521,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3927,6 +5549,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** @@ -3953,6 +5576,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -3971,6 +5604,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneEnableMIMESniffing** @@ -3997,6 +5631,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4015,6 +5659,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneEnableProtectedMode** @@ -4041,6 +5686,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4059,6 +5714,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer** @@ -4085,6 +5741,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4103,6 +5769,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** @@ -4129,6 +5796,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -4157,6 +5834,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe** @@ -4186,6 +5864,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneJavaPermissions** @@ -4212,6 +5891,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4230,6 +5919,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME** @@ -4256,6 +5946,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4274,6 +5974,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneLogonOptions** @@ -4300,6 +6001,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4318,6 +6029,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneNavigateWindowsAndFrames** @@ -4344,6 +6056,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -4370,6 +6092,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode** @@ -4396,6 +6119,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4414,6 +6147,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** @@ -4440,6 +6174,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4458,6 +6202,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles** @@ -4484,6 +6229,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4502,6 +6257,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneUsePopupBlocker** @@ -4528,6 +6284,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4546,6 +6312,7 @@ ADMX Info: +
**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone** @@ -4572,6 +6339,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -4590,6 +6367,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowAccessToDataSources** @@ -4616,6 +6394,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -4642,6 +6430,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** @@ -4668,6 +6457,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -4694,6 +6493,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** @@ -4720,6 +6520,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -4744,6 +6554,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowFontDownloads** @@ -4770,6 +6581,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -4796,6 +6617,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** @@ -4822,6 +6644,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. @@ -4848,6 +6680,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** @@ -4874,6 +6707,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -4900,6 +6743,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowScriptlets** @@ -4926,6 +6770,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -4952,6 +6806,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowSmartScreenIE** @@ -4978,6 +6833,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -5006,6 +6871,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneAllowUserDataPersistence** @@ -5032,6 +6898,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -5058,6 +6934,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -5084,6 +6961,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -5102,6 +6989,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** @@ -5128,6 +7016,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -5156,6 +7054,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe** @@ -5182,6 +7081,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -5200,6 +7109,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneJavaPermissions** @@ -5226,6 +7136,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -5244,6 +7164,7 @@ ADMX Info: +
**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** @@ -5270,6 +7191,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -5296,6 +7227,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** @@ -5322,6 +7254,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -5348,6 +7290,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** @@ -5374,6 +7317,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -5400,6 +7353,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** @@ -5426,6 +7380,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -5450,6 +7414,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowFontDownloads** @@ -5476,6 +7441,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -5502,6 +7477,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** @@ -5528,6 +7504,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -5554,6 +7540,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** @@ -5580,6 +7567,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -5606,6 +7603,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowScriptlets** @@ -5632,6 +7630,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -5658,6 +7666,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** @@ -5684,6 +7693,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -5712,6 +7731,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** @@ -5738,6 +7758,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -5764,6 +7794,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -5790,6 +7821,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -5808,6 +7849,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** @@ -5834,6 +7876,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -5862,6 +7914,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneJavaPermissions** @@ -5888,6 +7941,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -5906,6 +7969,7 @@ ADMX Info: +
**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** @@ -5932,6 +7996,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -5958,6 +8032,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** @@ -5984,6 +8059,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -6010,6 +8095,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** @@ -6036,6 +8122,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -6062,6 +8158,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** @@ -6088,6 +8185,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -6112,6 +8219,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** @@ -6138,6 +8246,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -6164,6 +8282,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** @@ -6190,6 +8309,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -6216,6 +8345,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** @@ -6242,6 +8372,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -6268,6 +8408,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowScriptlets** @@ -6294,6 +8435,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -6320,6 +8471,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** @@ -6346,6 +8498,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -6374,6 +8536,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** @@ -6400,6 +8563,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -6426,6 +8599,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** @@ -6452,6 +8626,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -6480,6 +8664,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneJavaPermissions** @@ -6506,6 +8691,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -6524,6 +8719,7 @@ ADMX Info: +
**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** @@ -6550,6 +8746,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -6576,6 +8782,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** @@ -6602,6 +8809,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -6628,6 +8845,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** @@ -6654,6 +8872,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -6680,6 +8908,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** @@ -6706,6 +8935,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -6730,6 +8969,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** @@ -6756,6 +8996,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -6782,6 +9032,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** @@ -6808,6 +9059,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -6834,6 +9095,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** @@ -6860,6 +9122,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -6886,6 +9158,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** @@ -6912,6 +9185,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -6938,6 +9221,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** @@ -6964,6 +9248,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -6992,6 +9286,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** @@ -7018,6 +9313,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -7044,6 +9349,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** @@ -7070,6 +9376,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -7098,6 +9414,7 @@ ADMX Info: +
**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** @@ -7124,6 +9441,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -7150,6 +9477,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** @@ -7176,6 +9504,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -7202,6 +9540,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** @@ -7228,6 +9567,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -7254,6 +9603,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** @@ -7280,6 +9630,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -7304,6 +9664,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** @@ -7330,6 +9691,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -7356,6 +9727,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** @@ -7382,6 +9754,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -7408,6 +9790,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** @@ -7434,6 +9817,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -7460,6 +9853,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** @@ -7486,6 +9880,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -7512,6 +9916,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** @@ -7538,6 +9943,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -7566,6 +9981,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** @@ -7592,6 +10008,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -7618,6 +10044,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** @@ -7644,6 +10071,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -7672,6 +10109,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions** @@ -7698,6 +10136,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -7716,6 +10164,7 @@ ADMX Info: +
**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** @@ -7742,6 +10191,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -7768,6 +10227,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** @@ -7794,6 +10254,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -7820,6 +10290,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** @@ -7846,6 +10317,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -7872,6 +10353,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** @@ -7898,6 +10380,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -7922,6 +10414,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** @@ -7948,6 +10441,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -7974,6 +10477,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** @@ -8000,6 +10504,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -8026,6 +10540,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** @@ -8052,6 +10567,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -8078,6 +10603,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** @@ -8104,6 +10630,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -8130,6 +10666,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** @@ -8156,6 +10693,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -8184,6 +10731,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** @@ -8210,6 +10758,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -8236,6 +10794,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** @@ -8262,6 +10821,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -8290,6 +10859,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions** @@ -8316,6 +10886,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -8334,6 +10914,7 @@ ADMX Info: +
**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** @@ -8360,6 +10941,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -8386,6 +10977,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** @@ -8412,6 +11004,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -8438,6 +11040,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** @@ -8464,6 +11067,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -8490,6 +11103,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** @@ -8516,6 +11130,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -8540,6 +11164,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** @@ -8566,6 +11191,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -8592,6 +11227,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** @@ -8618,6 +11254,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -8644,6 +11290,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** @@ -8670,6 +11317,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -8696,6 +11353,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** @@ -8722,6 +11380,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -8748,6 +11416,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** @@ -8774,6 +11443,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -8802,6 +11481,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** @@ -8828,6 +11508,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -8854,6 +11544,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** @@ -8880,6 +11571,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -8908,6 +11609,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions** @@ -8934,6 +11636,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -8952,6 +11664,7 @@ ADMX Info: +
**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** @@ -8978,6 +11691,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -9004,6 +11727,7 @@ ADMX Info: +
**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses** @@ -9030,6 +11754,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9048,6 +11782,7 @@ ADMX Info: +
**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses** @@ -9074,6 +11809,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9092,6 +11837,7 @@ ADMX Info: +
**InternetExplorer/NotificationBarInternetExplorerProcesses** @@ -9118,6 +11864,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9136,6 +11892,7 @@ ADMX Info: +
**InternetExplorer/PreventManagingSmartScreenFilter** @@ -9162,6 +11919,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9180,6 +11947,7 @@ ADMX Info: +
**InternetExplorer/PreventPerUserInstallationOfActiveXControls** @@ -9206,6 +11974,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9224,6 +12002,7 @@ ADMX Info: +
**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses** @@ -9250,6 +12029,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9268,6 +12057,7 @@ ADMX Info: +
**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls** @@ -9294,6 +12084,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9312,6 +12112,7 @@ ADMX Info: +
**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** @@ -9338,6 +12139,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9356,6 +12167,7 @@ ADMX Info: +
**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses** @@ -9382,6 +12194,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9400,6 +12222,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** @@ -9426,6 +12249,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -9452,6 +12285,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowActiveScripting** @@ -9478,6 +12312,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9496,6 +12340,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** @@ -9522,6 +12367,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -9548,6 +12403,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** @@ -9574,6 +12430,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -9598,6 +12464,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors** @@ -9624,6 +12491,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9642,6 +12519,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript** @@ -9668,6 +12546,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9686,6 +12574,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles** @@ -9712,6 +12601,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9730,6 +12629,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowFileDownloads** @@ -9756,6 +12656,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9774,6 +12684,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** @@ -9800,6 +12711,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -9826,6 +12747,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** @@ -9852,6 +12774,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. @@ -9878,6 +12810,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles** @@ -9904,6 +12837,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9922,6 +12865,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH** @@ -9948,6 +12892,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -9966,6 +12920,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** @@ -9992,6 +12947,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -10018,6 +12983,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls** @@ -10044,6 +13010,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10062,6 +13038,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** @@ -10088,6 +13065,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10106,6 +13093,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows** @@ -10132,6 +13120,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10150,6 +13148,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls** @@ -10176,6 +13175,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10194,6 +13203,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowScriptlets** @@ -10220,6 +13230,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -10246,6 +13266,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** @@ -10272,6 +13293,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -10300,6 +13331,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript** @@ -10326,6 +13358,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10344,6 +13386,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** @@ -10370,6 +13413,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -10396,6 +13449,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -10422,6 +13476,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10440,6 +13504,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls** @@ -10466,6 +13531,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10484,6 +13559,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls** @@ -10510,6 +13586,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10528,6 +13614,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter** @@ -10554,6 +13641,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10572,6 +13669,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** @@ -10598,6 +13696,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10616,6 +13724,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** @@ -10642,6 +13751,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10660,6 +13779,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing** @@ -10686,6 +13806,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10704,6 +13834,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer** @@ -10730,6 +13861,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10748,6 +13889,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** @@ -10774,6 +13916,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -10802,6 +13954,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneJavaPermissions** @@ -10828,6 +13981,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10846,6 +14009,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME** @@ -10872,6 +14036,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10890,6 +14064,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneLogonOptions** @@ -10916,6 +14091,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -10934,6 +14119,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** @@ -10960,6 +14146,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. @@ -10986,6 +14182,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains** @@ -11012,6 +14209,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11030,6 +14237,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins** @@ -11056,6 +14264,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11074,6 +14292,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** @@ -11100,6 +14319,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11118,6 +14347,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting** @@ -11144,6 +14374,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11162,6 +14402,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets** @@ -11188,6 +14429,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11206,6 +14457,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles** @@ -11232,6 +14484,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11250,6 +14512,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter** @@ -11276,6 +14539,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11294,6 +14567,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode** @@ -11320,6 +14594,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11338,6 +14622,7 @@ ADMX Info: +
**InternetExplorer/RestrictedSitesZoneUsePopupBlocker** @@ -11364,6 +14649,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11382,6 +14677,7 @@ ADMX Info: +
**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses** @@ -11408,6 +14704,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11426,6 +14732,7 @@ ADMX Info: +
**InternetExplorer/SearchProviderList** @@ -11452,6 +14759,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. @@ -11476,6 +14793,7 @@ ADMX Info: +
**InternetExplorer/SecurityZonesUseOnlyMachineSettings** @@ -11502,6 +14820,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -11520,6 +14847,7 @@ ADMX Info: +
**InternetExplorer/SpecifyUseOfActiveXInstallerService** @@ -11546,6 +14874,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -11564,6 +14902,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** @@ -11590,6 +14929,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). @@ -11616,6 +14965,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** @@ -11642,6 +14992,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting manages whether users will be automatically prompted for ActiveX control installations. @@ -11668,6 +15028,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** @@ -11694,6 +15055,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. @@ -11718,6 +15089,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowFontDownloads** @@ -11744,6 +15116,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether pages of the zone may download HTML fonts. @@ -11770,6 +15152,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** @@ -11796,6 +15179,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. @@ -11822,6 +15215,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** @@ -11848,6 +15242,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. @@ -11874,6 +15278,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowScriptlets** @@ -11900,6 +15305,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage whether the user can run scriptlets. @@ -11926,6 +15341,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** @@ -11952,6 +15368,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. @@ -11980,6 +15406,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** @@ -12006,6 +15433,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. @@ -12032,6 +15469,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** @@ -12058,6 +15496,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -12076,6 +15524,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls** @@ -12102,6 +15551,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -12120,6 +15579,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** @@ -12146,6 +15606,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage ActiveX controls not marked as safe. @@ -12174,6 +15644,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe** @@ -12200,6 +15671,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -12218,6 +15699,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe** @@ -12244,6 +15726,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -12262,6 +15754,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneJavaPermissions** @@ -12288,6 +15781,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!TIP] @@ -12306,6 +15809,7 @@ ADMX Info: +
**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** @@ -12332,6 +15836,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index d4683f4ded..0297e2a41a 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Kerberos @@ -14,11 +14,30 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Kerberos policies +
-
+
**Kerberos/AllowForestSearchOrder** @@ -45,6 +64,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). @@ -69,6 +97,7 @@ ADMX Info: +
**Kerberos/KerberosClientSupportsClaimsCompoundArmor** @@ -95,6 +124,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. @@ -118,6 +156,7 @@ ADMX Info: +
**Kerberos/RequireKerberosArmoring** @@ -144,6 +183,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. @@ -172,6 +220,7 @@ ADMX Info: +
**Kerberos/RequireStrictKDCValidation** @@ -198,6 +247,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. @@ -222,6 +280,7 @@ ADMX Info: +
**Kerberos/SetMaximumContextTokenSize** @@ -248,6 +307,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index a8f855bc5e..47c63e821c 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Licensing @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Licensing policies +
-
+
**Licensing/AllowWindowsEntitlementReactivation** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. @@ -55,6 +74,7 @@ ms.date: 08/30/2017 +
**Licensing/DisallowKMSClientOnlineAVSValidation** @@ -81,6 +101,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 5eb02ceae2..f2c1e120e8 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - LocalPoliciesSecurityOptions @@ -14,11 +14,87 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## LocalPoliciesSecurityOptions policies +
-
+
**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** @@ -45,6 +121,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting prevents users from adding new Microsoft accounts on this computer. @@ -61,6 +146,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus** @@ -87,6 +173,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This security setting determines whether the local Administrator account is enabled or disabled. @@ -104,6 +199,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus** @@ -130,6 +226,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This security setting determines if the Guest account is enabled or disabled. @@ -144,6 +249,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** @@ -170,6 +276,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Accounts: Limit local account use of blank passwords to console logon only @@ -192,6 +307,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount** @@ -218,6 +334,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Accounts: Rename administrator account @@ -229,6 +354,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount** @@ -255,6 +381,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Accounts: Rename guest account @@ -266,6 +401,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** @@ -292,6 +428,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Interactive Logon:Display user information when the session is locked @@ -304,6 +449,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn** @@ -330,6 +476,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Interactive logon: Don't display last signed-in @@ -347,6 +502,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn** @@ -373,6 +529,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Interactive logon: Don't display username at sign-in @@ -391,6 +556,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL** @@ -417,6 +583,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Interactive logon: Do not require CTRL+ALT+DEL @@ -436,6 +611,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit** @@ -462,6 +638,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Interactive logon: Machine inactivity limit. @@ -476,6 +661,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn** @@ -502,6 +688,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Interactive logon: Message text for users attempting to log on @@ -515,6 +710,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn** @@ -541,6 +737,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Interactive logon: Message title for users attempting to log on @@ -552,6 +757,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** @@ -578,6 +784,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Network security: Allow PKU2U authentication requests to this computer to use online identities. @@ -591,6 +806,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** @@ -631,6 +847,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn** @@ -657,6 +874,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Shutdown: Allow system to be shut down without having to log on @@ -676,6 +902,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation** @@ -702,6 +929,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. @@ -720,6 +956,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators** @@ -746,6 +983,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode @@ -769,6 +1015,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers** @@ -795,6 +1042,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. @@ -811,6 +1067,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated** @@ -837,6 +1094,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + User Account Control: Only elevate executable files that are signed and validated @@ -850,6 +1116,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations** @@ -876,6 +1143,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + User Account Control: Only elevate UIAccess applications that are installed in secure locations @@ -895,6 +1171,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode** @@ -921,6 +1198,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + User Account Control: Turn on Admin Approval Mode @@ -935,6 +1221,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation** @@ -961,6 +1248,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + User Account Control: Switch to the secure desktop when prompting for elevation @@ -974,6 +1270,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. +
**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations** @@ -1000,6 +1297,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + User Account Control: Virtualize file and registry write failures to per-user locations diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md index 130111a793..f1124ffad4 100644 --- a/windows/client-management/mdm/policy-csp-location.md +++ b/windows/client-management/mdm/policy-csp-location.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Location @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Location policies +
-
+
**Location/EnableLocation** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index ff2b494dee..038d477577 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - LockDown @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## LockDown policies +
-
+
**LockDown/AllowEdgeSwipe** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 40abac41bc..5c1dab3c54 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Maps @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Maps policies + + +
**Maps/AllowOfflineMapsDownloadOverMeteredConnection** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. @@ -58,6 +77,7 @@ ms.date: 08/30/2017 +
**Maps/EnableOfflineMapsAutoUpdate** @@ -84,6 +104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Disables the automatic download and update of map data. diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index edaff6765e..eac7199c3e 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Messaging @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Messaging policies +
-
+
**Messaging/AllowMMS** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -58,6 +80,7 @@ ms.date: 08/30/2017 +
**Messaging/AllowMessageSync** @@ -84,6 +107,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. @@ -94,6 +126,7 @@ ms.date: 08/30/2017 +
**Messaging/AllowRCS** @@ -120,6 +153,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 3196840a3b..95dcb7e362 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - NetworkIsolation @@ -14,11 +14,39 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## NetworkIsolation policies +
-
+
**NetworkIsolation/EnterpriseCloudResources** @@ -45,11 +73,21 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. +
**NetworkIsolation/EnterpriseIPRange** @@ -76,6 +114,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: @@ -90,6 +137,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +
**NetworkIsolation/EnterpriseIPRangesAreAuthoritative** @@ -116,11 +164,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. +
**NetworkIsolation/EnterpriseInternalProxyServers** @@ -147,11 +205,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. +
**NetworkIsolation/EnterpriseNetworkDomainNames** @@ -178,6 +246,15 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". @@ -193,6 +270,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff +
**NetworkIsolation/EnterpriseProxyServers** @@ -219,11 +297,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". +
**NetworkIsolation/EnterpriseProxyServersAreAuthoritative** @@ -250,11 +338,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. +
**NetworkIsolation/NeutralResources** @@ -281,6 +379,15 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
List of domain names that can used for work or personal resource. diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 2a291f8ba6..f85714b12c 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Notifications @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Notifications policies + + +
**Notifications/DisallowNotificationMirroring** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 17298b3cdf..e981b7483e 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Power @@ -14,11 +14,42 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Power policies +
-
+
**Power/AllowStandbyWhenSleepingPluggedIn** @@ -45,6 +76,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. @@ -69,6 +109,7 @@ ADMX Info: +
**Power/DisplayOffTimeoutOnBattery** @@ -95,6 +136,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display. @@ -121,6 +171,7 @@ ADMX Info: +
**Power/DisplayOffTimeoutPluggedIn** @@ -147,6 +198,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display. @@ -173,6 +233,7 @@ ADMX Info: +
**Power/HibernateTimeoutOnBattery** @@ -199,6 +260,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. @@ -226,6 +296,7 @@ ADMX Info: +
**Power/HibernateTimeoutPluggedIn** @@ -252,6 +323,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. @@ -278,6 +358,7 @@ ADMX Info: +
**Power/RequirePasswordWhenComputerWakesOnBattery** @@ -304,6 +385,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. @@ -328,6 +418,7 @@ ADMX Info: +
**Power/RequirePasswordWhenComputerWakesPluggedIn** @@ -354,6 +445,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. @@ -378,6 +478,7 @@ ADMX Info: +
**Power/StandbyTimeoutOnBattery** @@ -404,6 +505,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. @@ -430,6 +540,7 @@ ADMX Info: +
**Power/StandbyTimeoutPluggedIn** @@ -456,6 +567,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index ffd1d93c3c..2e7c8296f2 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Printers @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Printers policies +
-
+
**Printers/PointAndPrintRestrictions** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. @@ -82,6 +104,7 @@ ADMX Info: +
**Printers/PointAndPrintRestrictions_User** @@ -108,6 +131,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. @@ -145,6 +177,7 @@ ADMX Info: +
**Printers/PublishPrinters** @@ -171,6 +204,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Determines whether the computer's shared printers can be published in Active Directory. diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index fae39d1341..79333d939d 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Privacy @@ -14,11 +14,246 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Privacy policies +
-
+
**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** @@ -45,6 +280,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. @@ -60,6 +304,7 @@ ms.date: 08/30/2017 +
**Privacy/AllowInputPersonalization** @@ -86,6 +331,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. @@ -99,6 +353,7 @@ ms.date: 08/30/2017 +
**Privacy/DisableAdvertisingId** @@ -125,6 +380,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Enables or disables the Advertising ID. @@ -138,6 +402,7 @@ ms.date: 08/30/2017 +
**Privacy/EnableActivityFeed** @@ -164,6 +429,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. @@ -174,6 +448,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessAccountInfo** @@ -200,6 +475,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. @@ -213,6 +497,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** @@ -239,11 +524,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** @@ -270,11 +565,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** @@ -301,11 +606,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessCalendar** @@ -332,6 +647,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. @@ -345,6 +669,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** @@ -371,11 +696,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** @@ -402,11 +737,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** @@ -433,11 +778,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessCallHistory** @@ -464,6 +819,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. @@ -477,6 +841,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** @@ -503,11 +868,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** @@ -534,11 +909,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** @@ -565,11 +950,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. +
**Privacy/LetAppsAccessCamera** @@ -596,6 +991,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. @@ -609,6 +1013,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** @@ -635,11 +1040,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +
**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** @@ -666,11 +1081,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +
**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** @@ -697,11 +1122,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. +
**Privacy/LetAppsAccessContacts** @@ -728,6 +1163,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. @@ -741,6 +1185,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** @@ -767,11 +1212,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +
**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** @@ -798,11 +1253,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +
**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** @@ -829,11 +1294,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. +
**Privacy/LetAppsAccessEmail** @@ -860,6 +1335,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access email. @@ -873,6 +1357,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** @@ -899,11 +1384,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +
**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** @@ -930,11 +1425,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +
**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** @@ -961,11 +1466,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. +
**Privacy/LetAppsAccessLocation** @@ -992,6 +1507,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access location. @@ -1005,6 +1529,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** @@ -1031,11 +1556,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +
**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** @@ -1062,11 +1597,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +
**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** @@ -1093,11 +1638,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. +
**Privacy/LetAppsAccessMessaging** @@ -1124,6 +1679,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). @@ -1137,6 +1701,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** @@ -1163,11 +1728,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +
**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** @@ -1194,11 +1769,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +
**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** @@ -1225,11 +1810,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. +
**Privacy/LetAppsAccessMicrophone** @@ -1256,6 +1851,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. @@ -1269,6 +1873,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** @@ -1295,11 +1900,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +
**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** @@ -1326,11 +1941,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +
**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** @@ -1357,11 +1982,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. +
**Privacy/LetAppsAccessMotion** @@ -1388,6 +2023,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. @@ -1401,6 +2045,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** @@ -1427,11 +2072,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +
**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** @@ -1458,11 +2113,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +
**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** @@ -1489,11 +2154,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. +
**Privacy/LetAppsAccessNotifications** @@ -1520,6 +2195,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. @@ -1533,6 +2217,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** @@ -1559,11 +2244,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +
**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** @@ -1590,11 +2285,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +
**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** @@ -1621,11 +2326,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. +
**Privacy/LetAppsAccessPhone** @@ -1652,6 +2367,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. @@ -1665,6 +2389,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** @@ -1691,11 +2416,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +
**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** @@ -1722,11 +2457,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +
**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** @@ -1753,11 +2498,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. +
**Privacy/LetAppsAccessRadios** @@ -1784,6 +2539,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. @@ -1797,6 +2561,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** @@ -1823,11 +2588,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +
**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** @@ -1854,11 +2629,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +
**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** @@ -1885,11 +2670,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. +
**Privacy/LetAppsAccessTasks** @@ -1916,11 +2711,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. +
**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** @@ -1947,11 +2752,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +
**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** @@ -1978,11 +2793,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +
**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** @@ -2009,11 +2834,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. +
**Privacy/LetAppsAccessTrustedDevices** @@ -2040,6 +2875,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. @@ -2053,6 +2897,7 @@ The following list shows the supported values: +
**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** @@ -2079,11 +2924,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +
**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** @@ -2110,11 +2965,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +
**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** @@ -2141,11 +3006,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. +
**Privacy/LetAppsGetDiagnosticInfo** @@ -2172,6 +3047,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. @@ -2185,6 +3069,7 @@ The following list shows the supported values: +
**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** @@ -2211,11 +3096,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +
**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** @@ -2242,11 +3137,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +
**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** @@ -2273,11 +3178,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. +
**Privacy/LetAppsRunInBackground** @@ -2304,6 +3219,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. @@ -2319,6 +3243,7 @@ The following list shows the supported values: +
**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** @@ -2345,11 +3270,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +
**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** @@ -2376,11 +3311,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +
**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** @@ -2407,11 +3352,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +
**Privacy/LetAppsSyncWithDevices** @@ -2438,6 +3393,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. @@ -2451,6 +3415,7 @@ The following list shows the supported values: +
**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** @@ -2477,11 +3442,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +
**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** @@ -2508,11 +3483,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +
**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** @@ -2539,11 +3524,21 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. +
**Privacy/PublishUserActivities** @@ -2570,6 +3565,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 61751bca3b..71e7c1ee14 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteAssistance @@ -14,11 +14,27 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## RemoteAssistance policies +
-
+
**RemoteAssistance/CustomizeWarningMessages** @@ -45,6 +61,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting lets you customize warning messages. @@ -75,6 +100,7 @@ ADMX Info: +
**RemoteAssistance/SessionLogging** @@ -101,6 +127,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. @@ -127,6 +162,7 @@ ADMX Info: +
**RemoteAssistance/SolicitedRemoteAssistance** @@ -153,6 +189,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. @@ -187,6 +232,7 @@ ADMX Info: +
**RemoteAssistance/UnsolicitedRemoteAssistance** @@ -213,6 +259,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 411214069f..589ff8b724 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteDesktopServices @@ -14,11 +14,33 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## RemoteDesktopServices policies +
-
+
**RemoteDesktopServices/AllowUsersToConnectRemotely** @@ -45,6 +67,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to configure remote access to computers by using Remote Desktop Services. @@ -75,6 +106,7 @@ ADMX Info: +
**RemoteDesktopServices/ClientConnectionEncryptionLevel** @@ -101,6 +133,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. @@ -135,6 +176,7 @@ ADMX Info: +
**RemoteDesktopServices/DoNotAllowDriveRedirection** @@ -161,6 +203,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). @@ -189,6 +240,7 @@ ADMX Info: +
**RemoteDesktopServices/DoNotAllowPasswordSaving** @@ -215,6 +267,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Controls whether passwords can be saved on this computer from Remote Desktop Connection. @@ -239,6 +300,7 @@ ADMX Info: +
**RemoteDesktopServices/PromptForPasswordUponConnection** @@ -265,6 +327,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. @@ -295,6 +366,7 @@ ADMX Info: +
**RemoteDesktopServices/RequireSecureRPCCommunication** @@ -321,6 +393,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index d084b5d609..7ed74820ef 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteManagement @@ -14,11 +14,60 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## RemoteManagement policies +
-
+
**RemoteManagement/AllowBasicAuthentication_Client** @@ -45,6 +94,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -63,6 +121,7 @@ ADMX Info: +
**RemoteManagement/AllowBasicAuthentication_Service** @@ -89,6 +148,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -107,6 +175,7 @@ ADMX Info: +
**RemoteManagement/AllowCredSSPAuthenticationClient** @@ -133,6 +202,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -151,6 +229,7 @@ ADMX Info: +
**RemoteManagement/AllowCredSSPAuthenticationService** @@ -177,6 +256,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -195,6 +283,7 @@ ADMX Info: +
**RemoteManagement/AllowRemoteServerManagement** @@ -221,6 +310,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -239,6 +337,7 @@ ADMX Info: +
**RemoteManagement/AllowUnencryptedTraffic_Client** @@ -265,6 +364,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -283,6 +391,7 @@ ADMX Info: +
**RemoteManagement/AllowUnencryptedTraffic_Service** @@ -309,6 +418,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -327,6 +445,7 @@ ADMX Info: +
**RemoteManagement/DisallowDigestAuthentication** @@ -353,6 +472,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -371,6 +499,7 @@ ADMX Info: +
**RemoteManagement/DisallowNegotiateAuthenticationClient** @@ -397,6 +526,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -415,6 +553,7 @@ ADMX Info: +
**RemoteManagement/DisallowNegotiateAuthenticationService** @@ -441,6 +580,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -459,6 +607,7 @@ ADMX Info: +
**RemoteManagement/DisallowStoringOfRunAsCredentials** @@ -485,6 +634,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -503,6 +661,7 @@ ADMX Info: +
**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel** @@ -529,6 +688,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -547,6 +715,7 @@ ADMX Info: +
**RemoteManagement/TrustedHosts** @@ -573,6 +742,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -591,6 +769,7 @@ ADMX Info: +
**RemoteManagement/TurnOnCompatibilityHTTPListener** @@ -617,6 +796,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -635,6 +823,7 @@ ADMX Info: +
**RemoteManagement/TurnOnCompatibilityHTTPSListener** @@ -661,6 +850,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index dc1dab2c86..37e4a03a6a 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteProcedureCall @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## RemoteProcedureCall policies +
-
+
**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. @@ -73,6 +92,7 @@ ADMX Info: +
**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** @@ -99,6 +119,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 32309bdf9d..9dd90c60be 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - RemoteShell @@ -14,11 +14,36 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## RemoteShell policies +
-
+
**RemoteShell/AllowRemoteShellAccess** @@ -45,6 +70,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -63,6 +97,7 @@ ADMX Info: +
**RemoteShell/MaxConcurrentUsers** @@ -89,6 +124,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -107,6 +151,7 @@ ADMX Info: +
**RemoteShell/SpecifyIdleTimeout** @@ -133,6 +178,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -151,6 +205,7 @@ ADMX Info: +
**RemoteShell/SpecifyMaxMemory** @@ -177,6 +232,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -195,6 +259,7 @@ ADMX Info: +
**RemoteShell/SpecifyMaxProcesses** @@ -221,6 +286,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -239,6 +313,7 @@ ADMX Info: +
**RemoteShell/SpecifyMaxRemoteShells** @@ -265,6 +340,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -283,6 +367,7 @@ ADMX Info: +
**RemoteShell/SpecifyShellTimeout** @@ -309,6 +394,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 783aac1e8d..d8d759bd86 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Search @@ -14,11 +14,45 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Search policies +
-
+
**Search/AllowCloudSearch** @@ -45,6 +79,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. @@ -55,6 +98,7 @@ ms.date: 08/30/2017 +
**Search/AllowIndexingEncryptedStoresOrItems** @@ -81,6 +125,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. @@ -97,6 +150,7 @@ ms.date: 08/30/2017 +
**Search/AllowSearchToUseLocation** @@ -123,6 +177,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether search can leverage location information. @@ -135,6 +198,7 @@ ms.date: 08/30/2017 +
**Search/AllowUsingDiacritics** @@ -161,6 +225,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows the use of diacritics. @@ -173,6 +246,7 @@ ms.date: 08/30/2017 +
**Search/AlwaysUseAutoLangDetection** @@ -199,6 +273,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether to always use automatic language detection when indexing content and properties. @@ -211,6 +294,7 @@ ms.date: 08/30/2017 +
**Search/DisableBackoff** @@ -237,6 +321,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. @@ -247,6 +340,7 @@ ms.date: 08/30/2017 +
**Search/DisableRemovableDriveIndexing** @@ -273,6 +367,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
This policy setting configures whether or not locations on removable drives can be added to libraries. @@ -287,6 +390,7 @@ ms.date: 08/30/2017 +
**Search/PreventIndexingLowDiskSpaceMB** @@ -313,6 +417,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. @@ -327,6 +440,7 @@ ms.date: 08/30/2017 +
**Search/PreventRemoteQueries** @@ -353,6 +467,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. @@ -363,6 +486,7 @@ ms.date: 08/30/2017 +
**Search/SafeSearchPermissions** @@ -389,6 +513,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 229903014f..be8599f45e 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Security @@ -14,11 +14,45 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Security policies +
-
+
**Security/AllowAddProvisioningPackage** @@ -45,6 +79,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether to allow the runtime configuration agent to install provisioning packages. @@ -55,6 +98,7 @@ ms.date: 08/30/2017 +
**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** @@ -100,6 +144,7 @@ ms.date: 08/30/2017 +
**Security/AllowManualRootCertificateInstallation** @@ -126,6 +171,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -142,6 +196,7 @@ ms.date: 08/30/2017 +
**Security/AllowRemoveProvisioningPackage** @@ -168,6 +223,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether to allow the runtime configuration agent to remove provisioning packages. @@ -178,6 +242,7 @@ ms.date: 08/30/2017 +
**Security/AntiTheftMode** @@ -204,6 +269,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -218,6 +292,7 @@ ms.date: 08/30/2017 +
**Security/ClearTPMIfNotReady** @@ -244,6 +319,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -257,6 +341,7 @@ The following list shows the supported values: +
**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** @@ -283,6 +368,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -299,6 +393,7 @@ The following list shows the supported values: +
**Security/RequireDeviceEncryption** @@ -325,6 +420,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**. @@ -343,6 +447,7 @@ The following list shows the supported values: +
**Security/RequireProvisioningPackageSignature** @@ -369,6 +474,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether provisioning packages must have a certificate signed by a device trusted authority. @@ -379,6 +493,7 @@ The following list shows the supported values: +
**Security/RequireRetrieveHealthCertificateOnBoot** @@ -405,6 +520,15 @@ The following list shows the supported values: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 50a3295347..987f2c639b 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Settings @@ -14,11 +14,54 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Settings policies +
-
+
**Settings/AllowAutoPlay** @@ -45,6 +88,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -62,6 +114,7 @@ ms.date: 08/30/2017 +
**Settings/AllowDataSense** @@ -88,6 +141,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows the user to change Data Sense settings. @@ -98,6 +160,7 @@ ms.date: 08/30/2017 +
**Settings/AllowDateTime** @@ -124,6 +187,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows the user to change date and time settings. @@ -134,6 +206,7 @@ ms.date: 08/30/2017 +
**Settings/AllowEditDeviceName** @@ -160,6 +233,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows editing of the device name. @@ -170,6 +252,7 @@ ms.date: 08/30/2017 +
**Settings/AllowLanguage** @@ -196,6 +279,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -210,6 +302,7 @@ ms.date: 08/30/2017 +
**Settings/AllowPowerSleep** @@ -236,6 +329,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -250,6 +352,7 @@ ms.date: 08/30/2017 +
**Settings/AllowRegion** @@ -276,6 +379,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -290,6 +402,7 @@ ms.date: 08/30/2017 +
**Settings/AllowSignInOptions** @@ -316,6 +429,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -330,6 +452,7 @@ ms.date: 08/30/2017 +
**Settings/AllowVPN** @@ -356,6 +479,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows the user to change VPN settings. @@ -366,6 +498,7 @@ ms.date: 08/30/2017 +
**Settings/AllowWorkplace** @@ -392,6 +525,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -406,6 +548,7 @@ ms.date: 08/30/2017 +
**Settings/AllowYourAccount** @@ -432,6 +575,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows user to change account settings. @@ -442,6 +594,7 @@ ms.date: 08/30/2017 +
**Settings/ConfigureTaskbarCalendar** @@ -468,6 +621,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. @@ -480,6 +642,7 @@ ms.date: 08/30/2017 +
**Settings/PageVisibilityList** @@ -506,6 +669,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index adc515f986..2437d31e21 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - SmartScreen @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## SmartScreen policies +
-
+
**SmartScreen/EnableAppInstallControl** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. @@ -55,6 +77,7 @@ ms.date: 08/30/2017 +
**SmartScreen/EnableSmartScreenInShell** @@ -81,6 +104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. @@ -91,6 +123,7 @@ ms.date: 08/30/2017 +
**SmartScreen/PreventOverrideForFilesInShell** @@ -117,6 +150,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index 833057f11a..de1665ee8d 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Speech @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Speech policies +
-
+
**Speech/AllowSpeechModelUpdate** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 75e90f86a0..f73f1b8331 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Start @@ -14,11 +14,99 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Start policies +
-
+
**Start/AllowPinnedFolderDocuments** @@ -45,6 +133,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu. @@ -56,6 +153,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderDownloads** @@ -82,6 +180,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu. @@ -93,6 +200,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderFileExplorer** @@ -119,6 +227,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu. @@ -130,6 +247,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderHomeGroup** @@ -156,6 +274,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu. @@ -167,6 +294,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderMusic** @@ -193,6 +321,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu. @@ -204,6 +341,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderNetwork** @@ -230,6 +368,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu. @@ -241,6 +388,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderPersonalFolder** @@ -267,6 +415,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu. @@ -278,6 +435,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderPictures** @@ -304,6 +462,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu. @@ -315,6 +482,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderSettings** @@ -341,6 +509,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu. @@ -352,6 +529,7 @@ ms.date: 08/30/2017 +
**Start/AllowPinnedFolderVideos** @@ -378,6 +556,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu. @@ -389,6 +576,7 @@ ms.date: 08/30/2017 +
**Start/ForceStartSize** @@ -415,6 +603,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -432,6 +629,7 @@ ms.date: 08/30/2017 +
**Start/HideAppList** @@ -458,6 +656,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -483,6 +690,7 @@ ms.date: 08/30/2017 +
**Start/HideChangeAccountSettings** @@ -509,6 +717,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. @@ -524,6 +741,7 @@ ms.date: 08/30/2017 +
**Start/HideFrequentlyUsedApps** @@ -550,6 +768,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -572,6 +799,7 @@ ms.date: 08/30/2017 +
**Start/HideHibernate** @@ -598,6 +826,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. @@ -616,6 +853,7 @@ ms.date: 08/30/2017 +
**Start/HideLock** @@ -642,6 +880,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. @@ -657,6 +904,7 @@ ms.date: 08/30/2017 +
**Start/HidePowerButton** @@ -683,6 +931,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -701,6 +958,7 @@ ms.date: 08/30/2017 +
**Start/HideRecentJumplists** @@ -727,6 +985,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -752,6 +1019,7 @@ ms.date: 08/30/2017 +
**Start/HideRecentlyAddedApps** @@ -778,6 +1046,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -800,6 +1077,7 @@ ms.date: 08/30/2017 +
**Start/HideRestart** @@ -826,6 +1104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. @@ -841,6 +1128,7 @@ ms.date: 08/30/2017 +
**Start/HideShutDown** @@ -867,6 +1155,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. @@ -882,6 +1179,7 @@ ms.date: 08/30/2017 +
**Start/HideSignOut** @@ -908,6 +1206,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. @@ -923,6 +1230,7 @@ ms.date: 08/30/2017 +
**Start/HideSleep** @@ -949,6 +1257,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. @@ -964,6 +1281,7 @@ ms.date: 08/30/2017 +
**Start/HideSwitchAccount** @@ -990,6 +1308,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. @@ -1005,6 +1332,7 @@ ms.date: 08/30/2017 +
**Start/HideUserTile** @@ -1031,6 +1359,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -1050,6 +1387,7 @@ ms.date: 08/30/2017 +
**Start/ImportEdgeAssets** @@ -1076,6 +1414,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -1096,6 +1443,7 @@ ms.date: 08/30/2017 +
**Start/NoPinningToTaskbar** @@ -1122,6 +1470,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. @@ -1140,6 +1497,7 @@ ms.date: 08/30/2017 +
**Start/StartLayout** @@ -1166,6 +1524,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!IMPORTANT] > This node is set on a per-user basis and must be accessed using the following paths: diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index e73be79d8b..f7485274a3 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Storage @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Storage policies +
-
+
**Storage/EnhancedStorageDevices** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting configures whether or not Windows will activate an Enhanced Storage device. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index d077ea3454..e525611653 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - System @@ -14,11 +14,54 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## System policies +
-
+
**System/AllowBuildPreview** @@ -45,6 +88,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. @@ -62,6 +114,7 @@ ms.date: 08/30/2017 +
**System/AllowEmbeddedMode** @@ -88,6 +141,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether set general purpose device to be in embedded mode. @@ -100,6 +162,7 @@ ms.date: 08/30/2017 +
**System/AllowExperimentation** @@ -126,6 +189,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is not supported in Windows 10, version 1607. @@ -142,6 +214,7 @@ ms.date: 08/30/2017 +
**System/AllowFontProviders** @@ -168,6 +241,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. @@ -189,6 +271,7 @@ ms.date: 08/30/2017 +
**System/AllowLocation** @@ -215,6 +298,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether to allow app access to the Location service. @@ -234,6 +326,7 @@ ms.date: 08/30/2017 +
**System/AllowStorageCard** @@ -260,6 +353,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. @@ -272,6 +374,7 @@ ms.date: 08/30/2017 +
**System/AllowTelemetry** @@ -298,12 +401,28 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +
Allow the device to send diagnostic and usage telemetry data, such as Watson.
The following tables describe the supported values: -
+ + N/A @@ -447,6 +593,7 @@ ADMX Info: +
**System/DisableOneDriveFileSync** @@ -473,6 +620,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: @@ -497,6 +653,7 @@ ADMX Info: +
**System/DisableSystemRestore** @@ -523,6 +680,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Allows you to disable System Restore. @@ -553,6 +719,7 @@ ADMX Info: +
**System/LimitEnhancedDiagnosticDataWindowsAnalytics** @@ -579,6 +746,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. @@ -595,9 +771,9 @@ ADMX Info:
If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. - +
**System/TelemetryProxy** @@ -624,6 +800,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 08041394b9..fde893e7ec 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - TextInput @@ -14,11 +14,54 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## TextInput policies +
-
+
**TextInput/AllowIMELogging** @@ -45,6 +88,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -61,6 +113,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowIMENetworkAccess** @@ -87,6 +140,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -103,6 +165,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowInputPanel** @@ -129,6 +192,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -145,6 +217,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowJapaneseIMESurrogatePairCharacters** @@ -171,6 +244,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -187,6 +269,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowJapaneseIVSCharacters** @@ -213,6 +296,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -229,6 +321,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowJapaneseNonPublishingStandardGlyph** @@ -255,6 +348,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -271,6 +373,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowJapaneseUserDictionary** @@ -297,6 +400,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -313,6 +425,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowKeyboardTextSuggestions** @@ -339,6 +452,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -360,6 +482,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowKoreanExtendedHanja** @@ -368,6 +491,7 @@ ms.date: 08/30/2017 +
**TextInput/AllowLanguageFeaturesUninstall** @@ -394,6 +518,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -410,6 +543,7 @@ ms.date: 08/30/2017 +
**TextInput/ExcludeJapaneseIMEExceptJIS0208** @@ -436,6 +570,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -450,6 +593,7 @@ ms.date: 08/30/2017 +
**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** @@ -476,6 +620,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -490,6 +643,7 @@ ms.date: 08/30/2017 +
**TextInput/ExcludeJapaneseIMEExceptShiftJIS** @@ -516,6 +670,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 5eba1aac1c..5da538c24a 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - TimeLanguageSettings @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## TimeLanguageSettings policies + + +
**TimeLanguageSettings/AllowSet24HourClock** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index e3a796b41d..1d27aafdd8 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Update @@ -14,11 +14,150 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Update policies +
-
+
**Update/ActiveHoursEnd** @@ -45,6 +184,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. @@ -57,6 +205,7 @@ ms.date: 08/30/2017 +
**Update/ActiveHoursMaxRange** @@ -83,6 +232,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. @@ -92,6 +250,7 @@ ms.date: 08/30/2017 +
**Update/ActiveHoursStart** @@ -118,6 +277,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. @@ -130,6 +298,7 @@ ms.date: 08/30/2017 +
**Update/AllowAutoUpdate** @@ -156,6 +325,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Enables the IT admin to manage automatic update behavior to scan, download, and install updates. @@ -178,6 +356,7 @@ ms.date: 08/30/2017 +
**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** @@ -204,6 +383,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. @@ -213,8 +401,10 @@ ms.date: 08/30/2017 A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. This policy is accessible through the Update setting in the user interface or Group Policy. + +
**Update/AllowMUUpdateService** @@ -241,6 +431,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. @@ -251,6 +450,7 @@ This policy is accessible through the Update setting in the user interface or Gr +
**Update/AllowNonMicrosoftSignedUpdate** @@ -277,6 +477,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. @@ -291,6 +500,7 @@ This policy is accessible through the Update setting in the user interface or Gr +
**Update/AllowUpdateService** @@ -317,6 +527,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. @@ -334,6 +553,7 @@ This policy is accessible through the Update setting in the user interface or Gr +
**Update/AutoRestartDeadlinePeriodInDays** @@ -360,6 +580,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory. @@ -369,6 +598,7 @@ This policy is accessible through the Update setting in the user interface or Gr +
**Update/AutoRestartNotificationSchedule** @@ -395,6 +625,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. @@ -404,6 +643,7 @@ This policy is accessible through the Update setting in the user interface or Gr +
**Update/AutoRestartRequiredNotificationDismissal** @@ -430,6 +670,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. @@ -440,6 +689,7 @@ This policy is accessible through the Update setting in the user interface or Gr +
**Update/BranchReadinessLevel** @@ -466,16 +716,29 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
The following list shows the supported values: -- 16 (default) – User gets all applicable upgrades from Current Branch (CB). -- 32 – User gets upgrades from Current Branch for Business (CBB). +- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) +- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) +- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) +- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). +- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. +
**Update/DeferFeatureUpdatesPeriodInDays** @@ -502,6 +765,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -514,6 +786,7 @@ This policy is accessible through the Update setting in the user interface or Gr +
**Update/DeferQualityUpdatesPeriodInDays** @@ -540,6 +813,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. @@ -547,6 +829,7 @@ This policy is accessible through the Update setting in the user interface or Gr +
**Update/DeferUpdatePeriod** @@ -573,6 +856,15 @@ This policy is accessible through the Update setting in the user interface or Gr + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. @@ -591,7 +883,34 @@ This policy is accessible through the Update setting in the user interface or Gr
If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -
+ + > [!NOTE] > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -687,6 +1016,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/DetectionFrequency** @@ -713,11 +1043,21 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. +
**Update/DisableDualScan** @@ -744,6 +1084,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. @@ -758,6 +1107,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/EngagedRestartDeadline** @@ -784,6 +1134,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). @@ -793,6 +1152,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/EngagedRestartSnoozeSchedule** @@ -819,6 +1179,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. @@ -828,6 +1197,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/EngagedRestartTransitionSchedule** @@ -854,6 +1224,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. @@ -863,6 +1242,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/ExcludeWUDriversInQualityUpdate** @@ -889,6 +1269,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -902,6 +1291,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/FillEmptyContentUrls** @@ -928,6 +1318,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). @@ -941,6 +1340,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/IgnoreMOAppDownloadLimit** @@ -967,6 +1367,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -990,6 +1399,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/IgnoreMOUpdateDownloadLimit** @@ -1016,6 +1426,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -1037,6 +1456,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/PauseDeferrals** @@ -1063,6 +1483,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. @@ -1081,6 +1510,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/PauseFeatureUpdates** @@ -1107,6 +1537,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -1120,6 +1559,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/PauseFeatureUpdatesStartTime** @@ -1146,6 +1586,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. @@ -1153,6 +1602,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/PauseQualityUpdates** @@ -1179,6 +1629,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. @@ -1189,6 +1648,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/PauseQualityUpdatesStartTime** @@ -1215,6 +1675,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. @@ -1222,6 +1691,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/RequireDeferUpgrade** @@ -1248,20 +1718,30 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. -
Allows the IT admin to set a device to CBB train. +
Allows the IT admin to set a device to Semi-Annual Channel train.
The following list shows the supported values: -- 0 (default) – User gets upgrades from Current Branch. -- 1 – User gets upgrades from Current Branch for Business. +- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted). +- 1 – User gets upgrades from Semi-Annual Channel. +
**Update/RequireUpdateApproval** @@ -1288,6 +1768,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. @@ -1304,6 +1793,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/ScheduleImminentRestartWarning** @@ -1330,6 +1820,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. @@ -1339,6 +1838,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/ScheduleRestartWarning** @@ -1365,6 +1865,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -1378,6 +1887,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/ScheduledInstallDay** @@ -1404,6 +1914,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Enables the IT admin to schedule the day of the update installation. @@ -1424,6 +1943,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/ScheduledInstallEveryWeek** @@ -1450,6 +1970,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
-
@@ -1459,6 +1988,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/ScheduledInstallFirstWeek** @@ -1485,6 +2015,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
-
@@ -1494,6 +2033,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/ScheduledInstallFourthWeek** @@ -1520,6 +2060,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
-
@@ -1529,6 +2078,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/ScheduledInstallSecondWeek** @@ -1555,6 +2105,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
-
@@ -1564,6 +2123,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/ScheduledInstallThirdWeek** @@ -1590,6 +2150,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
-
@@ -1599,6 +2168,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/ScheduledInstallTime** @@ -1625,6 +2195,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -1642,6 +2221,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/SetAutoRestartNotificationDisable** @@ -1668,6 +2248,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. @@ -1678,6 +2267,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/SetEDURestart** @@ -1704,6 +2294,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. @@ -1714,6 +2313,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego +
**Update/UpdateServiceUrl** @@ -1740,6 +2340,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!Important] > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. @@ -1773,6 +2382,7 @@ Example +
**Update/UpdateServiceUrlAlternate** @@ -1799,6 +2409,15 @@ Example + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 7d019f9c35..e035750dfa 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Wifi @@ -14,11 +14,36 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Wifi policies +
-
+
**WiFi/AllowWiFiHotSpotReporting** @@ -27,6 +52,7 @@ ms.date: 08/30/2017 +
**Wifi/AllowAutoConnectToWiFiSenseHotspots** @@ -53,6 +79,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allow or disallow the device to automatically connect to Wi-Fi hotspots. @@ -65,6 +100,7 @@ ms.date: 08/30/2017 +
**Wifi/AllowInternetSharing** @@ -91,6 +127,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allow or disallow internet sharing. @@ -103,6 +148,7 @@ ms.date: 08/30/2017 +
**Wifi/AllowManualWiFiConfiguration** @@ -129,6 +175,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. @@ -144,6 +199,7 @@ ms.date: 08/30/2017 +
**Wifi/AllowWiFi** @@ -170,6 +226,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allow or disallow WiFi connection. @@ -182,6 +247,7 @@ ms.date: 08/30/2017 +
**Wifi/AllowWiFiDirect** @@ -208,6 +274,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. Allow WiFi Direct connection.. @@ -216,6 +291,7 @@ ms.date: 08/30/2017 +
**Wifi/WLANScanMode** @@ -242,6 +318,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index ba85960f84..d47b897f44 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - WindowsDefenderSecurityCenter @@ -14,11 +14,57 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## WindowsDefenderSecurityCenter policies +
-
+
**WindowsDefenderSecurityCenter/CompanyName** @@ -45,6 +91,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. @@ -52,6 +107,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/DisableAppBrowserUI** @@ -78,6 +134,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -88,6 +153,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/DisableEnhancedNotifications** @@ -114,6 +180,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users. @@ -127,6 +202,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/DisableFamilyUI** @@ -153,6 +229,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -163,6 +248,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/DisableHealthUI** @@ -189,6 +275,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -199,6 +294,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/DisableNetworkUI** @@ -225,6 +321,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -235,6 +340,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/DisableNotifications** @@ -261,6 +367,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices. @@ -271,6 +386,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/DisableVirusUI** @@ -297,6 +413,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. @@ -307,6 +432,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride** @@ -333,6 +459,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area. @@ -343,6 +478,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/Email** @@ -369,6 +505,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. @@ -376,6 +521,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/EnableCustomizedToasts** @@ -402,6 +548,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. @@ -412,6 +567,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/EnableInAppCustomization** @@ -438,6 +594,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709.Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification. @@ -448,6 +613,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/Phone** @@ -474,6 +640,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. @@ -481,6 +656,7 @@ ms.date: 08/30/2017 +
**WindowsDefenderSecurityCenter/URL** @@ -507,6 +683,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 32d34d88ec..43176e2f15 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - WindowsInkWorkspace @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## WindowsInkWorkspace policies +
-
+
**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. @@ -55,6 +74,7 @@ ms.date: 08/30/2017 +
**WindowsInkWorkspace/AllowWindowsInkWorkspace** @@ -81,6 +101,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 22b96181e5..71a5e7e63a 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - WindowsLogon @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## WindowsLogon policies +
-
+
**WindowsLogon/DisableLockScreenAppNotifications** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to prevent app notifications from appearing on the lock screen. @@ -69,6 +91,7 @@ ADMX Info: +
**WindowsLogon/DontDisplayNetworkSelectionUI** @@ -95,6 +118,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. @@ -119,6 +151,7 @@ ADMX Info: +
**WindowsLogon/HideFastUserSwitching** @@ -145,6 +178,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index ea09c4b3c7..0d7ab2b543 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - WirelessDisplay @@ -14,11 +14,33 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## WirelessDisplay policies +
-
+
**WirelessDisplay/AllowProjectionFromPC** @@ -45,6 +67,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. @@ -53,6 +84,7 @@ ms.date: 08/30/2017 +
**WirelessDisplay/AllowProjectionFromPCOverInfrastructure** @@ -79,6 +111,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. @@ -87,6 +128,7 @@ ms.date: 08/30/2017 +
**WirelessDisplay/AllowProjectionToPC** @@ -113,6 +155,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. @@ -125,6 +176,7 @@ ms.date: 08/30/2017 +
**WirelessDisplay/AllowProjectionToPCOverInfrastructure** @@ -151,6 +203,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. @@ -159,14 +220,25 @@ ms.date: 08/30/2017 +
**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1703. +
**WirelessDisplay/RequirePinForPairing** @@ -193,6 +265,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +
Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md
index ee30992445..1319338ddc 100644
--- a/windows/client-management/mdm/reclaim-seat-from-user.md
+++ b/windows/client-management/mdm/reclaim-seat-from-user.md
@@ -1,6 +1,6 @@
---
title: Reclaim seat from user
-description: The Reclaim seat from user operation returns reclaimed seats for a user in the Windows Store for Business.
+description: The Reclaim seat from user operation returns reclaimed seats for a user in the Micosoft Store for Business.
ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C
ms.author: maricia
ms.topic: article
@@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Reclaim seat from user
-The **Reclaim seat from user** operation returns reclaimed seats for a user in the Windows Store for Business.
+The **Reclaim seat from user** operation returns reclaimed seats for a user in the Micosoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
index 5016c86ac9..d64e4e1b4d 100644
--- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
+++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
@@ -1,6 +1,6 @@
---
-title: REST API reference for Windows Store for Business
-description: REST API reference for Windows Store for Business
+title: REST API reference for Micosoft Store for Business
+description: REST API reference for Micosoft Store for Business
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
@@ -13,7 +13,7 @@ author: nickbrower
ms.date: 06/19/2017
---
-# REST API reference for Windows Store for Business
+# REST API reference for Micosoft Store for Business
Here's the list of available operations:
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 05e8da9fa3..aa98ff54c0 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/07/2017
+ms.date: 09/18/2017
---
# VPNv2 CSP
@@ -35,7 +35,7 @@ The XSDs for all EAP methods are shipped in the box and can be found at the foll
The following diagram shows the VPNv2 configuration service provider in tree format.
-
+
**Device or User profile**
For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
@@ -303,6 +303,14 @@ A device tunnel profile must be deleted before another device tunnel profile can
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+**VPNv2/***ProfileName***/RegisterDNS**
+Allows registration of the connection's address in DNS.
+
+Valid values:
+
+- False = Do not register the connection's address in DNS (default).
+- True = Register the connection's addresses in DNS.
+
**VPNv2/***ProfileName***/DnsSuffix**
Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 1312ba1a63..3208f1111a 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/07/2017
+ms.date: 09/18/2017
---
# VPNv2 DDF file
@@ -992,6 +992,33 @@ The XML below is for Windows 10, version 1709.
+
+Version 1.0
+© 2017 Microsoft. All rights reserved.
\ No newline at end of file
diff --git a/windows/configuration/images/gdpr-azure-info-protection.png b/windows/configuration/images/gdpr-azure-info-protection.png
new file mode 100644
index 0000000000..ff4581286d
Binary files /dev/null and b/windows/configuration/images/gdpr-azure-info-protection.png differ
diff --git a/windows/configuration/images/gdpr-comp-info-protection.png b/windows/configuration/images/gdpr-comp-info-protection.png
new file mode 100644
index 0000000000..a332b3476f
Binary files /dev/null and b/windows/configuration/images/gdpr-comp-info-protection.png differ
diff --git a/windows/configuration/images/gdpr-cve-graph.png b/windows/configuration/images/gdpr-cve-graph.png
new file mode 100644
index 0000000000..ebc3e7e36b
Binary files /dev/null and b/windows/configuration/images/gdpr-cve-graph.png differ
diff --git a/windows/configuration/images/gdpr-intelligent-security-graph.png b/windows/configuration/images/gdpr-intelligent-security-graph.png
new file mode 100644
index 0000000000..9448465c08
Binary files /dev/null and b/windows/configuration/images/gdpr-intelligent-security-graph.png differ
diff --git a/windows/configuration/images/gdpr-security-center.png b/windows/configuration/images/gdpr-security-center.png
new file mode 100644
index 0000000000..26936520a9
Binary files /dev/null and b/windows/configuration/images/gdpr-security-center.png differ
diff --git a/windows/configuration/images/gdpr-security-center2.png b/windows/configuration/images/gdpr-security-center2.png
new file mode 100644
index 0000000000..971a9918a5
Binary files /dev/null and b/windows/configuration/images/gdpr-security-center2.png differ
diff --git a/windows/configuration/images/gdpr-security-center3.png b/windows/configuration/images/gdpr-security-center3.png
new file mode 100644
index 0000000000..2c5e279211
Binary files /dev/null and b/windows/configuration/images/gdpr-security-center3.png differ
diff --git a/windows/configuration/images/gdpr-steps-diagram.png b/windows/configuration/images/gdpr-steps-diagram.png
new file mode 100644
index 0000000000..8fce18bccd
Binary files /dev/null and b/windows/configuration/images/gdpr-steps-diagram.png differ
diff --git a/windows/configuration/images/package.png b/windows/configuration/images/package.png
index f5e975e3e9..e10cf84f51 100644
Binary files a/windows/configuration/images/package.png and b/windows/configuration/images/package.png differ
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index df0e8e3a76..93aa72ed2a 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -21,6 +21,7 @@ Enterprises often need to apply custom configurations to devices for their users
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
| [Basic level Windows diagnostic data](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
| [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703. |
+|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.|
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index e5ebed0c80..8b9ecee3ff 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -31,6 +31,8 @@ To help make it easier to deploy settings to restrict connections from Windows 1
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+
## What's new in Windows 10, version 1703
Here's a list of changes that were made to this article for Windows 10, version 1703:
@@ -71,7 +73,7 @@ See the following table for a summary of the management settings for Windows 10
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
-| [1. Certificate trust lists](#certificate-trust-lists) | |  | | | |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  | | | |
| [2. Cortana and Search](#bkmk-cortana) |  |  |  |  |  |
| [3. Date & Time](#bkmk-datetime) |  |  | |  | |
| [4. Device metadata retrieval](#bkmk-devinst) | |  | |  | |
@@ -100,20 +102,21 @@ See the following table for a summary of the management settings for Windows 10
| [17.10 Call history](#bkmk-priv-callhistory) |  |  |  |  | |
| [17.11 Email](#bkmk-priv-email) |  |  |  |  | |
| [17.12 Messaging](#bkmk-priv-messaging) |  |  |  |  | |
-| [17.13 Radios](#bkmk-priv-radios) |  |  |  |  | |
-| [17.14 Other devices](#bkmk-priv-other-devices) |  |  |  |  | |
-| [17.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
-| [17.16 Background apps](#bkmk-priv-background) |  |  |  | | |
-| [17.17 Motion](#bkmk-priv-motion) |  |  |  |  | |
-| [17.18 Tasks](#bkmk-priv-tasks) |  |  |  |  | |
-| [17.19 App Diagnostics](#bkmk-priv-diag) |  |  |  |  | |
+| [17.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |  | |
+| [17.14 Radios](#bkmk-priv-radios) |  |  |  |  | |
+| [17.15 Other devices](#bkmk-priv-other-devices) |  |  |  |  | |
+| [17.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
+| [17.17 Background apps](#bkmk-priv-background) |  |  |  | | |
+| [17.18 Motion](#bkmk-priv-motion) |  |  |  |  | |
+| [17.19 Tasks](#bkmk-priv-tasks) |  |  |  |  | |
+| [17.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |  | |
| [18. Software Protection Platform](#bkmk-spp) | |  |  |  | |
| [19. Sync your settings](#bkmk-syncsettings) |  |  |  |  | |
| [20. Teredo](#bkmk-teredo) | |  | |  |  |
| [21. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
| [22. Windows Defender](#bkmk-defender) | |  |  |  | |
| [23. Windows Media Player](#bkmk-wmp) |  | | | |  |
-| [24. Windows spotlight](#bkmk-spotlight) |  |  | |  | |
+| [24. Windows Spotlight](#bkmk-spotlight) |  |  |  |  | |
| [25. Microsoft Store](#bkmk-windowsstore) | |  | |  | |
| [26. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |  | |
| [27. Windows Update](#bkmk-wu) |  |  |  | | |
@@ -124,7 +127,7 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | UI | Group Policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: |
-| [1. Certificate trust lists](#certificate-trust-lists) | |  |  | |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  | |
| [2. Cortana and Search](#bkmk-cortana) |  |  |  | |
| [3. Date & Time](#bkmk-datetime) |  |  |  | |
| [4. Device metadata retrieval](#bkmk-devinst) | |  |  | |
@@ -150,7 +153,7 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | Group Policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
-| [1. Certificate trust lists](#certificate-trust-lists) |  |  | |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) |  |  | |
| [3. Date & Time](#bkmk-datetime) |  |  | |
| [6. Font streaming](#font-streaming) |  |  | |
| [13. Network Connection Status Indicator](#bkmk-ncsi) |  | | |
@@ -165,7 +168,7 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
-| [1. Certificate trust lists](#certificate-trust-lists) |  | |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) |  | |
| [3. Date & Time](#bkmk-datetime) |  | |
| [20. Teredo](#bkmk-teredo) | |  |
| [27. Windows Update](#bkmk-wu) |  | |
@@ -174,16 +177,15 @@ See the following table for a summary of the management settings for Windows Ser
Use the following sections for more information about how to configure each setting.
-### 1. Certificate trust lists
+### 1. Automatic Root Certificates Update
-A certificate trust list is a predefined list of items, such as a list of certificate hashes or a list of file name, that are signed by a trusted entity. Windows automatically downloads an updated certificate trust list when it is available.
-
-To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list.
+The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on Windows Update to see if an update is available.
+For more information, see [Automatic Root Certificates Update Configuration](https://technet.microsoft.com/library/cc733922.aspx).
+Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
> [!CAUTION]
> By not automatically downloading the root certificates, the device might have not be able to connect to some websites.
-
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
@@ -558,7 +560,7 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
| Browser/FirstRunURL | Choose the home page for Microsoft Edge on Windows Mobile 10.
Default: blank |
-For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
+For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
### 13. Network Connection Status Indicator
@@ -1267,7 +1269,38 @@ To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
-### 17.13 Radios
+### 17.13 Phone calls
+
+In the **Phone calls** area, you can choose which apps can make phone calls.
+
+To turn off **Let apps make phone calls**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessPhone**, with a value of 2 (two).
+
+
+To turn off **Choose apps that can make phone calls**:
+
+- Turn off the feature in the UI for each app.
+
+### 17.14 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@@ -1298,7 +1331,7 @@ To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
-### 17.14 Other devices
+### 17.15 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@@ -1332,7 +1365,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
-### 17.15 Feedback & diagnostics
+### 17.16 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
@@ -1417,7 +1450,7 @@ To turn off tailored experiences with relevant tips and recommendations by using
- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
-### 17.16 Background apps
+### 17.17 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
@@ -1440,7 +1473,7 @@ To turn off **Let apps run in the background**:
- **2**. Force deny
-### 17.17 Motion
+### 17.18 Motion
In the **Motion** area, you can choose which apps have access to your motion data.
@@ -1464,7 +1497,7 @@ To turn off **Let Windows and your apps use your motion data and collect motion
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two).
-### 17.18 Tasks
+### 17.19 Tasks
In the **Tasks** area, you can choose which apps have access to your tasks.
@@ -1486,7 +1519,7 @@ To turn this off:
- **1**. Force allow
- **2**. Force deny
-### 17.19 App Diagnostics
+### 17.20 App Diagnostics
In the **App diagnostics** area, you can choose which apps have access to your diagnostic information.
@@ -1636,7 +1669,7 @@ You can stop sending file samples back to Microsoft.
-or-
-- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where:
- **0**. Always prompt.
@@ -1682,9 +1715,9 @@ To remove Windows Media Player on Windows Server 2016:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-### 24. Windows spotlight
+### 24. Windows Spotlight
-Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
+Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface, MDM policy, or through Group Policy.
If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
@@ -1695,6 +1728,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
-or-
+- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero).
+
+ -or-
+
- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
@@ -1733,7 +1770,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
-or-
- - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md).
@@ -1847,7 +1884,7 @@ You can turn off automatic updates by doing one of the following. This is not re
-or-
-- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update), where:
- **0**. Notify the user before downloading the update.
diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md
index 4485b5e7e7..39f2e28ac0 100644
--- a/windows/configuration/manage-tips-and-suggestions.md
+++ b/windows/configuration/manage-tips-and-suggestions.md
@@ -44,7 +44,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi
| Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) |
| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) |
-
+[Learn more about policy settings for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)
## Related topics
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index e4bec41c89..713a2b4b8d 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -103,7 +103,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 7a5fa6db77..99ceb249ab 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -432,6 +432,6 @@ For a more secure kiosk experience, we recommend that you make the following con
- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index e203016bfa..6454a3fe7c 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -32,8 +32,7 @@ On Windows 10 for desktop editions, the customized Start works by:
>[!NOTE]
>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
->[!NOTE]
->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
+
## LayoutModification XML
diff --git a/windows/configuration/stop-employees-from-using-the-windows-store.md b/windows/configuration/stop-employees-from-using-the-windows-store.md
index f8b7650447..71e3551c63 100644
--- a/windows/configuration/stop-employees-from-using-the-windows-store.md
+++ b/windows/configuration/stop-employees-from-using-the-windows-store.md
@@ -114,7 +114,7 @@ If you're using Microsoft Store for Business and you want employees to only see
[Manage access to private store](/microsoft-store/manage-access-to-private-store)
-
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index 744e0acd11..a22b949f8b 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -58,4 +58,6 @@ Use these settings to configure policies for shared PC mode.
## Related topics
-- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)
\ No newline at end of file
+- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index 31685f534d..47596e69d3 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -13,7 +13,7 @@ ms.date: 08/21/2017
# UsbErrorsOEMOverride (reference)
-Use UsbErrorsOEMOverride settings to .
+Allows an OEM to hide the USB option UI in Settings and all USB device errors.
## Applies to
@@ -24,4 +24,4 @@ Use UsbErrorsOEMOverride settings to .
## HideUsbErrorNotifyOptionUI
-
+Configure to **Show** or **Hide** the USB error notification.
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 10de96a306..35ab57c372 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -111,7 +111,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
index 611432abea..9f56ccf841 100644
--- a/windows/configuration/windows-diagnostic-data.md
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -6,12 +6,14 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
-author: brianlic-msft
+author: eross-msft
+ms.author: lizross
+ms.date: 09/14/2017
---
# Windows 10, version 1703 Diagnostic Data
-Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
The data covered in this article is grouped into the following categories:
@@ -21,10 +23,8 @@ The data covered in this article is grouped into the following categories:
- Product and Service Usage data
- Product and Service Performance data
- Software Setup and Inventory data
-- Content Consumption data
-- Browsing, Search and Query data
+- Browsing History data
- Inking, Typing, and Speech Utterance data
-- Licensing and Purchase data
> [!NOTE]
> The majority of diagnostic data falls into the first four categories.
@@ -66,8 +66,15 @@ This type of data includes details about the health of the device, operating sys
| Category Name | Description and Examples |
| - | - |
-| Device health and crash data | Information about the device and software health such as:
|
-| Device performance and reliability data | Information about the device and software performance such as:
+|Device health and crash data | Information about the device and software health such as:
|
+|Device performance and reliability data | Information about the device and software performance such as:
|
+|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
|
+|On-device file query | Information about local search activity on the device such as:
|
+|Purchasing| Information about purchases made on the device such as:
|
+|Entitlements | Information about entitlements on the device such as:
|
## Software Setup and Inventory data
@@ -78,25 +85,13 @@ This type of data includes software installation and update information on the d
| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
|
| Device update information | Information about Windows Update such as:
-## Content Consumption data
+## Browsing History data
-This type of data includes diagnostic details about Microsoft applications that provide media consumption functionality (such as Groove Music), and is not intended to capture user viewing, listening or reading habits.
-
-| Category Name | Examples |
-| - | - |
-| Movies | Information about movie consumption functionality on the device such as:
|
-| Music & TV | Information about music and TV consumption on the device such as:
|
-| Reading | Information about reading consumption functionality on the device such as:
|
-| Photos App | Information about photos usage on the device such as:
-
-## Browsing, Search and Query data
-
-This type of data includes details about web browsing, search and query activity in the Microsoft browsers and Cortana, and local file searches on the device.
+This type of data includes details about web browsing in the Microsoft browsers.
| Category Name | Description and Examples |
| - | - |
| Microsoft browser data | Information about Address bar and search box performance on the device such as:
|
-| On-device file query | Information about local search activity on the device such as:
|
## Inking Typing and Speech Utterance data
@@ -105,13 +100,4 @@ This type of data gathers details about the voice, inking, and typing input feat
| Category Name | Description and Examples |
| - | - |
-| Voice, inking, and typing | Information about voice, inking and typing features such as:
|
-
-## Licensing and Purchase data
-
-This type of data includes diagnostic details about the purchase and entitlement activity on the device.
-
-| Category Name | Data Examples |
-| - | - |
-| Purchase history | Information about purchases made on the device such as:
|
-| Entitlements | Information about entitlements on the device such as:
|
\ No newline at end of file
+| Voice, inking, and typing | Information about voice, inking and typing features such as:
|
\ No newline at end of file
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index f786f2f6ad..2f86c87a24 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -79,7 +79,7 @@ Pay attention to the checkbox in **Options**. In addition to providing the path
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
-
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index b070057f1d..5055de6869 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -222,8 +222,6 @@
#### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
-##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md)
-##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
## Windows Analytics
@@ -246,4 +244,6 @@
#### [Get started with Device Health](update/device-health-get-started.md)
#### [Using Device Health](update/device-health-using.md)
-## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
\ No newline at end of file
+## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
+
+## [Architectural planning posters for Windows 10](windows-10-architecture-posters.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index a05a03bbe9..a3c44c5ab1 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -15,8 +15,18 @@ author: greg-lindsay
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
->Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
->Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
+>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+
+## Enabling Subscription Activation with an existing EA
+
+If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
+
+1. Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:
+ a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
+ b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
+2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
+3. The admin can now assign subscription licenses to users.
Also in this article:
- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
@@ -195,5 +205,4 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct
A popup window will display the Windows 10 version number and detailed OS build information.
- If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
-
+ If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
\ No newline at end of file
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e11c92867c..95255b68f9 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -79,7 +79,7 @@ For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
-MDT build 884 is available, including support for:
+MDT build 8443 is available, including support for:
- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016.
- The Windows ADK for Windows 10, version 1607.
- Integration with Configuration Manager version 1606.
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index e5e8d59bf7..4662c2d40d 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -642,3 +642,5 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md)
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index f98e4c4744..f7c08f33ec 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -652,3 +652,5 @@ Figure 14. The partitions when deploying an UEFI-based machine.
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md)
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index ea7feeecfa..2f9a7b58e0 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -91,3 +91,6 @@ The information in this guide is designed to help you deploy Windows 10. In ord
[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md)
+
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index f828bce6a8..d898782a7c 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -400,3 +400,5 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 01404a9781..6ba9b74048 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -48,3 +48,5 @@ Windows as a service provides a new way to think about building, deploying, and
>[!TIP]
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/deployment/update/olympia/enrollment-keep-current-edition.md b/windows/deployment/update/olympia/enrollment-keep-current-edition.md
deleted file mode 100644
index b0016c44ee..0000000000
--- a/windows/deployment/update/olympia/enrollment-keep-current-edition.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Keep your current Windows 10 edition
-description: Olympia Corp enrollment - Keep your current Windows 10 edition
-ms.author: nibr
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: nickbrower
-ms.date: 09/01/2017
----
-
-# Olympia Corp enrollment
-
-## Keep your current Windows 10 edition
-
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
-
- 
-
-2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
-
-3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
-
- 
-
-4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
-
- > [!NOTE]
- > Passwords should contain 8-16 characters, including at least one special character or number.
-
- 
-
-5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
-
-6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
-
-7. Create a PIN for signing into your Olympia corporate account.
-
-8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
-
- > [!NOTE]
- > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
-
-9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
diff --git a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md b/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
deleted file mode 100644
index 6643971428..0000000000
--- a/windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Upgrade your Windows 10 edition from Pro to Enterprise
-description: Olympia Corp enrollment - Upgrade your Windows 10 edition from Pro to Enterprise
-ms.author: nibr
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: nickbrower
-ms.date: 09/01/2017
----
-
-# Olympia Corp enrollment
-
-## Upgrade your Windows 10 edition from Pro to Enterprise
-
-1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
-
- 
-
-2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
-
-3. Click **Connect**, then click **Join this device to Azure Active Directory**.
-
- 
-
-4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
-
- 
-
-5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
-
- > [!NOTE]
- > Passwords should contain 8-16 characters, including at least one special character or number.
-
- 
-
-6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
-
-7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
-
-8. Create a PIN for signing into your Olympia corporate account.
-
-9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
-
-10. Restart your PC.
-
-11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
-
-12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
-
- > [!NOTE]
- > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
-
-13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
-
-\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
-
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 17b87bd7b0..fddd959017 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/01/2017
+ms.date: 09/14/2017
---
# Olympia Corp enrollment guidelines
@@ -17,6 +17,87 @@ As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Ent
Choose one of the following two enrollment options:
-1. [Keep your current Windows 10 edition](./enrollment-keep-current-edition.md)
+1. [Keep your current Windows 10 edition](#enrollment-keep-current-edition)
+
+2. [Upgrade your Windows 10 edition from Pro to Enterprise](#enrollment-upgrade-to-enterprise)
+
+
+
+## Keep your current Windows 10 edition
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+ 
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+
+3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+ 
+
+4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+ > [!NOTE]
+ > Passwords should contain 8-16 characters, including at least one special character or number.
+
+ 
+
+5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
+
+6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
+
+7. Create a PIN for signing into your Olympia corporate account.
+
+8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+ > [!NOTE]
+ > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
+
+
+
+## Upgrade your Windows 10 edition from Pro to Enterprise
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+ 
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+
+3. Click **Connect**, then click **Join this device to Azure Active Directory**.
+
+ 
+
+4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+ 
+
+5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+ > [!NOTE]
+ > Passwords should contain 8-16 characters, including at least one special character or number.
+
+ 
+
+6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
+
+8. Create a PIN for signing into your Olympia corporate account.
+
+9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+10. Restart your PC.
+
+11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
+
+12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+ > [!NOTE]
+ > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
+
+\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
-2. [Upgrade your Windows 10 edition from Pro to Enterprise](./enrollment-upgrade-to-enterprise.md)
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 5e3c80f9c4..8e3da008da 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -25,14 +25,18 @@ Update Compliance has the following requirements:
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
-Service | Endpoint
---- | ---
-Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
settings-win.data.microsoft.com
-Windows Error Reporting | watson.telemetry.microsoft.com
-Online Crash Analysis | oca.telemetry.microsoft.com
+ Service | Endpoint
+ --- | ---
+ Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
settings-win.data.microsoft.com
+ Windows Error Reporting | watson.telemetry.microsoft.com
+ Online Crash Analysis | oca.telemetry.microsoft.com
- 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
+ 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
+
+ For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level).
+
+ See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 9daa1a5103..a49a7adb06 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -147,7 +147,10 @@ Devices are evaluated by OS Version (e.g., 1607) and the count of how many are C
You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
-
+
+
+>[!IMPORTANT]
+>If your devices are not showing up in the Windows Defender AV assessment section, check the [Troublshoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help.
The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 2b77126ecf..be0f75a719 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -21,7 +21,7 @@ ms.date: 07/27/2017
Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager.
-Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
+Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This means that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
For more details, see [Download mode](#download-mode).
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 0fdb3289c7..4cccf0d888 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -328,3 +328,5 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage device restarts after updates](waas-restart.md)
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 765051754a..a342d1a579 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -353,4 +353,6 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
+- [Manage device restarts after updates](waas-restart.md)
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index fac84472ae..54085bccf6 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -198,4 +198,6 @@ With all these options, which an organization chooses depends on the resources,
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
+- [Manage device restarts after updates](waas-restart.md)
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 81aed1c722..71202e04e6 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -966,3 +966,5 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 29a27310e4..90fabf7307 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -84,9 +84,9 @@ To enable data sharing, whitelist the following endpoints. Note that you may nee
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
-| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
-| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
-| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10 computers. User computers send data to Microsoft through this endpoint.
+| `https://Vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10
+| `https://settings.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
Note: The compatibility update KB runs under the computer’s system account.
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 7b48b01727..8dd86431f4 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -337,7 +337,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
index 118d52b056..7213b01b6c 100644
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ b/windows/deployment/usmt/usmt-common-issues.md
@@ -5,6 +5,7 @@ ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.date: 09/07/2017
author: greg-lindsay
---
@@ -28,6 +29,8 @@ The following sections discuss common issues that you might see when you run the
[Hard Link Migration Problems](#bkmk-hardlink)
+[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout)
+
## General Guidelines for Identifying Migration Problems
@@ -222,6 +225,28 @@ There are three typical causes for this issue.
**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files.
+### USMT does not migrate the Start layout
+
+**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured.
+
+**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
+
+**Resolution:** The following workaround is available:
+
+1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
+
+ ```
+ Export-StartLayout -Path "C:\Layout\user1.xml"
+ ```
+2. Migrate the user's profile with USMT.
+3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
+
+ ```
+ Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive%
+ ```
+
+This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
+
## Offline Migration Problems
@@ -286,6 +311,10 @@ USMTutils /rd
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V|
-|Hardware memory|8 GB minimum, 16 GB recommended|
+|Hardware memory|Microsoft recommends 8GB RAM for optimal performance|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index df475ea509..465c993f93 100644
--- a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -19,7 +19,6 @@ The threat landscape is continually evolving. While hackers are busy developing
Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete.
-
## What is Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
@@ -39,8 +38,8 @@ Application Guard has been created to target 3 types of enterprise systems:
## In this section
|Topic |Description |
|------|------------|
-|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. |
-|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. |
+|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard.|
+|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 1c0e90fab7..9592c54ea3 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
+
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.
Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
@@ -50,6 +52,8 @@ This feature is only available if you have an active Office 365 E5 or the Threat
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
+To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
+
## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index 5b05198ca9..42299706d8 100644
--- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
+
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
Alerts are organized in queues by their workflow status or assignment:
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 2d146c99a0..764fe72b5d 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,9 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
+
Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
@@ -36,240 +39,39 @@ The ArcSight field column contains the default mapping between the Windows Defen
Field numbers match the numbers in the images below.
-
-
+> [!div class="mx-tableFixed"]
+| Portal label | SIEM field name | ArcSight field | Example value | Description |
+|------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
+| 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
+| 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
+| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Windows Defender ATP. Value available for every alert. |
+| 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
+| 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
+| 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
+| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts. |
+| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Windows Defender ATP behavioral based alerts. |
+| 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
+| 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
+| 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
+| 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
+| 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
+| 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
+| 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
+| 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
+| 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
+| 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
+| 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
+| 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
+| 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
+| 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
+| | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
+| | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
+| | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
+| Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
+| | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
+| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Windows Defender ATP'. |
+| | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
@@ -278,7 +80,7 @@ Field numbers match the numbers in the images below.
-
+
diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 3f9933916f..8c52c26e52 100644
--- a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -26,6 +26,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
## Assign user access using Azure PowerShell
@@ -82,3 +84,6 @@ For more information see, [Manage Azure AD group and role membership](https://te
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
index 723ff75a42..b4cac17a7c 100644
--- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
+
The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index beff40e45f..c4c965309f 100644
--- a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
+
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 59f69d831e..1c7f1bf825 100644
--- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
+
You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
> [!NOTE]
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 2d17ac8b25..c0c4500c23 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -27,6 +27,9 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
+
+
> [!NOTE]
> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index a1f1d75d60..690593d58b 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -25,10 +25,17 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
+
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
+## Before you begin
+If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
+
+For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
+
## Configure endpoints using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 89b06fa326..dccdfe3ee5 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -26,6 +26,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
+
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index e2993d8ccb..c2d209b804 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
> [!NOTE]
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
index 8d28359a61..433ebdcd72 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
@@ -20,6 +20,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
+
## Onboard non-persistent virtual desktop infrastructure (VDI) machines
Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
@@ -33,6 +35,9 @@ Windows Defender ATP supports non-persistent VDI session onboarding. There might
You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
+>[!WARNING]
+> For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding.
+
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index 8b9d4a256a..12896138c5 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -39,6 +39,9 @@ Topic | Description
:---|:---
[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints.
[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
-[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints.
+[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on endpoints.
[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines.
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 1363cca541..60d72976e0 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -26,6 +26,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+
The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index f359c9d10b..343f4351d5 100644
--- a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -22,6 +22,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
+
Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
Windows Defender ATP supports the onboarding of the following servers:
diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index c90b025275..a11b5b6701 100644
--- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+
## Pull alerts using supported security information and events management (SIEM) tools
Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index 701451367b..60e6cfaceb 100644
--- a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
+
You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 48810c5ae3..5fafa61b0a 100644
--- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
+
You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
## Before you begin
diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
index 333d2f5e83..0c3dc01eda 100644
--- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
+
The **Security operations dashboard** displays a snapshot of:
- The latest active alerts on your network
@@ -116,6 +118,9 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
+
## Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index c482403b20..6f7eed13ef 100644
--- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -79,3 +79,5 @@ Microsoft provides customers with detailed information about Microsoft's securit
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
For more information on the Windows Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001).
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-datastorage-belowfoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index e3a3b4ae51..0f7c42f24e 100644
--- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -26,6 +26,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
+
The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 32ba05c13a..4e98e3b3b4 100644
--- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
+
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
diff --git a/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a95a52eb1d
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,49 @@
+---
+title: Enable Security Analytics in Windows Defender ATP
+description: Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard.
+keywords: enable security analytics, baseline, calculation, analytics, score, security analytics dashboard, dashboard
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Enable Security Analytics security controls
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
+
+ >[!NOTE]
+ >Changes might take up to a few hours to reflect on the dashboard.
+
+1. In the navigation pane, select **Preferences setup** > **Security Analytics**.
+
+ 
+
+2. Select the security control, then toggle the setting between **On** and **Off**.
+
+3. Click **Save preferences**.
+
+## Related topics
+- [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 26467de977..b34a43be0e 100644
--- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index 4200e50e85..f23dc99857 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -29,14 +29,14 @@ ms.date: 09/05/2017
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
-For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
+For example, if endpoints are not appearing in the **Machines list**, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
> [!NOTE]
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
**Open Event Viewer and find the Windows Defender ATP service event log:**
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
+1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**.
2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
open the log.
@@ -334,7 +334,7 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
-
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index d5eb939076..6085998914 100644
--- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-experimentcustomti-abovefoldlink)
+
With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.
For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md).
diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
index 239c463a13..73a2c6b1c7 100644
--- a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
@@ -23,6 +23,8 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, you’ll need to take the following steps to use the APIs:
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 89ede3edae..07eef0d4b5 100644
--- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
+
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
## Inactive machines
diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
index db7f9796a9..2a702cecc7 100644
--- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
+
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
1. In the navigation pane, select **Preferences setup** > **General**.
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png
new file mode 100644
index 0000000000..4005404aff
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png b/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png
new file mode 100644
index 0000000000..9d8ae5a5cd
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png b/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png
new file mode 100644
index 0000000000..0f5ef13a77
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png
index 65dc93e72c..729042ed30 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png and b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-preview-features.png b/windows/threat-protection/windows-defender-atp/images/atp-preview-features.png
new file mode 100644
index 0000000000..aeae7b6a42
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-preview-features.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png
new file mode 100644
index 0000000000..58d25e0f9d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-region-control-panel.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png b/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png
new file mode 100644
index 0000000000..9cbf01f81a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index d2e1a9a60a..c743b8f2cb 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -21,6 +21,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
+
Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
index 6c5effd35b..e7a73b2f71 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
+
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
You can see information from the following sections in the URL view:
diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
index afb66067f3..e90acdfa3d 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
+
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
You can get information from the following sections in the file view:
diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
index 0efb6d5061..beae2f18fb 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
+
Examine possible communication between your machines and external internet protocol (IP) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index f437a524b9..d9ae0d1c13 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -21,6 +21,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+
## Investigate machines
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
@@ -57,6 +59,55 @@ You'll also see details such as logon types for each user account, the user grou
For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
+## Manage machine group and tags
+Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
+
+Machine related properties are being extended to account for:
+
+- Group affiliation
+- Dynamic context capturing
+
+
+
+### Group machines
+Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
+
+Machine group is defined in the following registry key entry of the machine:
+
+- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
+- Registry key value (string): Group
+
+
+### Set standard tags on machines
+Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
+
+1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
+
+ - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+ - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+ - **Machines list** - Select the machine name from the list of machines.
+ - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+ You can also get to the alert page through the file and IP views.
+
+2. Open the **Actions** menu and select **Manage tags**.
+
+ 
+
+3. Enter tags on the machine. To add more tags, click the + icon.
+4. Click **Save and close**.
+
+ 
+
+ Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
+
+### Manage machine tags
+You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
+
+
+
+
+
## Alerts related to this machine
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
@@ -93,18 +144,8 @@ Use the search bar to look for specific timeline events. Harness the power of us
- Behaviors mode: displays "detections" and selected events of interest
- Verbose mode: displays all raw events without aggregation or filtering
-- **Event type** - Click the drop-down button to filter by the following levels:
- - Windows Defender ATP alerts
- - Windows Defender AV alerts
- - Response actions
- - AppGuard related events
- - Windows Defender Device Guard events
- - Process events
- - Network events
- - File events
- - Registry events
- - Load DLL events
- - Other events
-
- Portal label
- SIEM field name
- ArcSight field
- Example value
- Description
-
-
-
- 1
- AlertTitle
- name
- A dll was unexpectedly loaded into a high integrity process without a UAC prompt
- Value available for every alert.
-
-
-
- 2
- Severity
- deviceSeverity
- Medium
- Value available for every alert.
-
-
-
- 3
- Category
- deviceEventCategory
- Privilege Escalation
- Value available for every alert.
-
-
-
- 4
- Source
- sourceServiceName
- WindowsDefenderATP
- Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.
-
-
-
- 5
- MachineName
- sourceHostName
- liz-bean
- Value available for every alert.
-
-
-
- 6
- FileName
- fileName
- Robocopy.exe
- Available for alerts associated with a file or process.
-
-
-
- 7
- FilePath
- filePath
- C:\Windows\System32\Robocopy.exe
- Available for alerts associated with a file or process. \
-
-
-
- 8
- UserDomain
- sourceNtDomain
- contoso
- The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.
-
-
-
- 9
- UserName
- sourceUserName
- liz-bean
- The user context running the activity, available for Windows Defender ATP behavioral based alerts.
-
-
-
- 10
- Sha1
- fileHash
- 5b4b3985339529be3151d331395f667e1d5b7f35
- Available for alerts associated with a file or process.
-
-
-
- 11
- Md5
- deviceCustomString5
- 55394b85cb5edddff551f6f3faa9d8eb
- Available for Windows Defender AV alerts.
-
-
-
- 12
- Sha256
- deviceCustomString6
- 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5
- Available for Windows Defender AV alerts.
-
-
-
- 13
- ThreatName
- eviceCustomString1
- Trojan:Win32/Skeeyah.A!bit
- Available for Windows Defender AV alerts.
-
-
-
- 14
- IpAddress
- sourceAddress
- 218.90.204.141
- Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.
-
-
-
- 15
- Url
- requestUrl
- down.esales360.cn
- Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.
-
-
-
- 16
- RemediationIsSuccess
- deviceCustomNumber2
- TRUE
- Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
-
-
-
- 17
- WasExecutingWhileDetected
- deviceCustomNumber1
- FALSE
- Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
-
-
-
- 18
- AlertId
- externalId
- 636210704265059241_673569822
- Value available for every alert.
-
-
-
- 19
- LinkToWDATP
- flexString1
- `https://securitycenter.windows.com/alert/636210704265059241_673569822`
- Value available for every alert.
-
-
-
- 20
- AlertTime
- deviceReceiptTime
- 2017-05-07T01:56:59.3191352Z
- The time the activity relevant to the alert occurred. Value available for every alert.
-
-
-
- 21
- MachineDomain
- sourceDnsDomain
- contoso.com
- Domain name not relevant for AAD joined machines. Value available for every alert.
-
-
-
- 22
- Actor
- deviceCustomString4
-
- Available for alerts related to a known actor group.
-
-
-
- 21+5
- ComputerDnsName
- No mapping
- liz-bean.contoso.com
- The machine fully qualified domain name. Value available for every alert.
-
-
-
-
- LogOnUsers
- sourceUserId
- contoso\liz-bean; contoso\jay-hardee
- The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.
-
-
-
- Internal field
- LastProcessedTimeUtc
- No mapping
- 2017-05-07T01:56:58.9936648Z
- Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.
-
-
-
-
- Not part of the schema
- deviceVendor
-
- Static value in the ArcSight mapping - 'Microsoft'.
-
-
-
-
- Not part of the schema
- deviceProduct
-
- Static value in the ArcSight mapping - 'Windows Defender ATP'.
-
-
-
-
- Not part of the schema
- deviceVersion
-
- Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
-
-
+- **Event type** - Click the drop-down button to filter by events such as Windows - Windows Defender ATP alerts, Windows Defender Application Guard events, registry events, file events, and others.
+
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.
- **User account** – Click the drop-down button to filter the machine timeline by the following user associated events:
diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
index 52c8a9583f..1b36dc7c3c 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
+
## Investigate user account entities
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 4fa77ae8f4..205494624b 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
+
The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
Use the Machines list in these main scenarios:
@@ -37,7 +39,7 @@ Use the Machines list in these main scenarios:
## Sort, filter, and download the list of machines from the Machines list
You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order.
-Filter the **Machines list** by time period, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, or **Groups** to focus on certain sets of machines, according to the desired criteria.
+Filter the **Machines list** by **Time**, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, **Groups**, or **Tags** to focus on certain sets of machines, according to the desired criteria.
You can also download the entire list in CSV format using the **Export to CSV** feature.
@@ -56,29 +58,31 @@ You can use the following filters to limit the list of machines displayed during
- Windows 10
- Windows Server 2012 R2
- Windows Server 2016
-- Linux
-- Mac OS
- Other
-**Health**
-- All
-- Well configure
-- Requires attention - Depending on the Windows Defender security controls configured in your enterprise, you'll see various available filters.
-
**Sensor health state**
Filter the list to view specific machines grouped together by the following machine health states:
- **Active** – Machines that are actively reporting sensor data to the service.
- **Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
- - Impaired communications
- No sensor data
+ - Impaired communications
For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
- **Inactive** – Machines that have completely stopped sending signals for more than 7 days.
-**Malware category**
+**Security state**
+Filter the list to view specific machines that are well configured or require attention based on the Windows Defender security controls that are enabled in your organization.
+
+
+- **Well configured** - Machines have the Windows Defender security controls well configured.
+- **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization.
+
+For more information, see [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md).
+
+**Malware category alerts**
Filter the list to view specific machines grouped together by the following malware categories:
- **Ransomware** – Ransomware use common methods to encrypt files using keys that are known only to attackers. As a result, victims are unable to access the contents of the encrypted files. Most ransomware display or drop a ransom note—an image or an HTML file that contains information about how to obtain the attacker-supplied decryption tool for a fee.
- **Credential theft** – Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers.
@@ -88,6 +92,8 @@ Filter the list to view specific machines grouped together by the following malw
- **General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks.
- **PUA** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software.
+## Groups and tags
+You can filter the list based on the grouping and tagging that you've added to individual machines. For more information, see [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags).
## Export machine list to CSV
You can download a full list of all the machines in your organization, in CSV format. Click the **Export to CSV** button to download the entire list as a CSV file.
@@ -99,13 +105,11 @@ Exporting the list in CSV format displays the data in an unfiltered manner. The
You can sort the **Machines list** by the following columns:
- **Machine name** - Name or GUID of the machine
-- **Domain** - Domain where the machine is joined in
-- **OS Platform** - Indicates the OS of the machine
- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data
- **Last seen** - Date and time when the machine last reported sensor data
- **Internal IP** - Local internal Internet Protocol (IP) address of the machine
- **Active Alerts** - Number of alerts reported by the machine by severity
-- **Active malware detections** - Number of active malware detections reported by the machine
+- **Active malware alerts** - Number of active malware detections reported by the machine
> [!NOTE]
> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product.
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index be0229d1d1..21c56a7475 100644
--- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
+
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu.
You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index b43ff9eb93..6f4ca6d581 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -27,7 +27,7 @@ ms.date: 09/05/2017
There are some minimum requirements for onboarding your network and endpoints.
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
## Minimum requirements
You must be on Windows 10, version 1607 at a minimum.
diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index d5a674a071..358f434974 100644
--- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
You need to onboard to Windows Defender ATP before you can use the service.
For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
@@ -45,3 +47,5 @@ Topic | Description
[Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 2f535cb869..0000000000
--- a/windows/threat-protection/windows-defender-atp/optimize-security-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Optimize Windows Defender Antivirus
-description:
-keywords:
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
-ms.date: 09/05/2017
----
-
-# Optimize Windows Defender Antivirus
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-[!include[Prerelease information](prerelease.md)]
-
-The Antivirus optimization tile provides a list of recommendations to affected machines. Taking action on the recommendations will help improve your overall organizational security:
-
-- [Use Windows Defender AV with Windows Defender ATP](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
-- [Turn on cloud-delivered protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
-- [Turn on protection from potentially unwanted applications](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
-- [Turn on real-time protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
-- [Update antivirus protection and definitions](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index 7a8e8393e6..ac5a0f7173 100644
--- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -25,12 +25,14 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
- View, sort, and triage alerts from your endpoints
- Search for more information on observed indicators such as files and IP Addresses
-- Change Windows Defender ATP settings, including time zone and alert suppression rules
+- Change Windows Defender ATP settings, including time zone and review licensing information.
## Windows Defender ATP portal
When you open the portal, you’ll see the main areas of the application:
@@ -48,13 +50,13 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
-(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. **Feedback** -Access the feedback button to provide comments about the portal. **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information. **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
+(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. **Feedback** -Access the feedback button to provide comments about the portal. **Settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
(2) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
**Dashboards** | Enables you to view the Security operations or the Security analytics dashboard.
-**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
+**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.
+**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, enable or turn off advanced features, and build Power BI reports.
**Endpoint management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
(3) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index afcd9030c3..705ff8da95 100644
--- a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -23,6 +23,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
+
Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI.
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.
@@ -79,7 +81,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
- >[NOTE]
+ >[!NOTE]
>If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
index e3960714e7..c1070db950 100644
--- a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -175,6 +175,9 @@ $ioc =
```
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink)
+
+
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index beade9fba5..504d423fd0 100644
--- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
+
Use the **Preferences setup** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
## In this section
diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index ec38ff1fd1..1c08c4225a 100644
--- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
+
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select **Preferences setup** > **Preview experience**.
diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 096f49bab4..3dfbb8db03 100644
--- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -27,6 +27,8 @@ ms.date: 09/05/2017
The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink)
+
Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
@@ -34,6 +36,9 @@ You'll have access to upcoming features which you can provide feedback on to hel
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select **Preferences setup** > **Preview experience**.
+
+ 
+
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Preview features
@@ -56,7 +61,7 @@ You can lock down a device and prevent subsequent attempts of potentially malici
- [Run Windows Defender Antivirus scan on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
-- [Manage machine group and tags](respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+- [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
@@ -66,5 +71,5 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities.
-
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index ebf7206b49..8a7b308e76 100644
--- a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+
Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
In general, the OAuth 2.0 protocol supports four types of flows:
diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
index 607ab8d422..222900d1ef 100644
--- a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -177,6 +177,10 @@ with requests.Session() as session:
pprint(json.loads(response.text))
```
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pyexample-belowfoldlink)
+
+
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 328a0ff719..5f18a842a7 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
+
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
>[!NOTE]
@@ -93,11 +95,15 @@ You can roll back and remove a file from quarantine if you’ve determined that
> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
## Block files in your network
-You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
+You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
>[!NOTE]
>This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
-This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build.
+This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. This response action is available for machines on Windows 10, version 1703 or later.
+
+>[!IMPORTANT]
+> The PE file needs to be in the machine timeline for you to be able to take this action.
+
### Enable the block file feature
1. In the navigation pane, select **Preference Setup** > **Advanced features** > **Block file**.
@@ -109,9 +115,7 @@ This feature is designed to prevent suspected malware (or potentially malicious
3. Type a comment and select **Yes, block file** to take action on the file.
-
The Action center shows the submission information:
-
- **Submission time** - Shows when the action was submitted.
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 0879c73c17..0aa55c8947 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -25,57 +25,14 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink)
+
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
>[!NOTE]
> These response actions are only available for machines on Windows 10, version 1703.
-## Manage machine group and tags
-Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
-
-Machine related properties are being extended to account for:
-
-- Group affiliation
-- Dynamic context capturing
-
-
-
-### Group machines
-Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
-
-Machine group is defined in the following registry key entry of the machine:
-
-- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
-- Registry key value (string): Group
-
-
-### Set standard tags on machines
-Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
-
-1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
-
- - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- - **Machines list** - Select the machine name from the list of machines.
- - **Search box** - Select Machine from the drop-down menu and enter the machine name.
-
- You can also get to the alert page through the file and IP views.
-
-2. Open the **Actions** menu and select **Manage tags**.
-
- 
-
-3. Enter tags on the machine. To add more tags, click the + icon.
-4. Click **Save and close**.
-
- 
-
- Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
-
-### Manage machine tags
-You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
-
-
## Collect investigation package from machines
@@ -156,7 +113,7 @@ As part of the investigation or response process, you can remotely initiate an a
- - **Submission time** - Shows when the isolation action was submitted.
+ - **Submission time** - Shows when the action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions.
The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
@@ -188,7 +145,7 @@ The action to restrict an application from running applies a code integrity poli
- - **Submission time** - Shows when the isolation action was submitted.
+ - **Submission time** - Shows when the action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions.
When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
@@ -244,7 +201,7 @@ On Windows 10, version 1710 and above, you'll have additional control over the n
The Action center shows the submission information:
- - **Submission time** - Shows when the isolation action was submitted.
+ - **Submission time** - Shows when the action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.
When the isolation configuration is applied, a new event is reflected in the machine timeline.
diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
index 548e32a5b1..095581b550 100644
--- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
@@ -26,6 +26,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responseactions-abovefoldlink)
+
You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
>[!NOTE]
diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
index 4a5e44b615..26057dc724 100644
--- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: View the Security Analytics dashboard in Windows Defender ATP
description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles.
-keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates
+keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/02/2017
---
# View the Windows Defender Advanced Threat Protection Security analytics dashboard
@@ -24,43 +24,50 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink)
+
+
The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
The **Security analytics dashboard** displays a snapshot of:
- Organizational security score
- Security coverage
- Improvement opportunities
+- Security score over time
-
+
## Organizational security score
The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings.
-
+
-Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
+Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
-In the example image, the total points from the **Improvement opportunities** tile add up to 279 points for the three pillars from the **Security coverage** tile.
+In the example image, the total points from the **Improvement opportunities** tile add up to 321 points for the six pillars from the **Security coverage** tile.
+
+You can set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard through the **Preferences settings**. For more information, see [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
## Security coverage
-The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar contributes 100 points to the overall organizational security score. It also represents the various Windows 10 security components with an indicator of the total number of machines that are well configured and those that require attention. Hovering on top of the individual bars will show exact numbers for each category.
+The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
-
+
## Improvement opportunities
Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
Click on each control to see the recommended optimizations.
-
+
The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
-Recommendations that do not display a green action are informational only and no action is required.
+>[!IMPORTANT]
+>Recommendations that do not display a green triangle icon are informational only and no action is required.
Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
@@ -68,9 +75,22 @@ The following image shows an example list of machines where the EDR sensor is no
-### Endpoint detection and response (EDR) optimization
-This tile provides a specific list of actions you can take on Windows Defender ATP to improve how endpoints provide sensor data to the Windows Defender ATP service.
+## Security score over time
+You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
+
+
+You can click on specific date points to see the total score for that security control is on a particular date.
+
+### Endpoint detection and response (EDR) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool.
+
+#### Minimum baseline configuration setting for EDR:
+- Windows Defender ATP sensor is on
+- Data collection is working correctly
+- Communication to Windows Defender ATP service is not impaired
+
+#### Minimum baseline configuration setting for EDR:
You can take the following actions to increase the overall security score of your organization:
- Turn on sensor
- Fix sensor data collection
@@ -78,9 +98,19 @@ You can take the following actions to increase the overall security score of you
For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
-### Windows Defender Antivirus optimization
-This tile provides a list of specific list of actions you can implement on endpoints with Windows Defender Antivirus to improve the security in your organization. Each action shows the exact number of endpoints where you can apply the action on.
+### Windows Defender Antivirus (Windows Defender AV) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled.
+#### Minimum baseline configuration setting for Windows Defender AV:
+Endpoints are considered "well configured" for Windows Defender AV if the following requirements are met:
+
+- Windows Defender AV is reporting correctly
+- Windows Defender AV is turned on
+- Signature definitions are up to date
+- Real-time protection is on
+- Potentially Unwanted Application (PUA) protection is enabled
+
+##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
>[!NOTE]
@@ -90,7 +120,6 @@ You can take the following actions to increase the overall security score of you
- This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
- Turn on antivirus
- Update antivirus definitions
-- Turn on cloud-based protection
- Turn on real-time protection
- Turn on PUA protection
@@ -102,11 +131,115 @@ This tile shows you the exact number of machines that require the latest securit
You can take the following actions to increase the overall security score of your organization:
- Install the latest security updates
+- Fix sensor data collection
+ - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
-For more information on, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
+For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
+
+
+### Windows Defender Exploit Guard (Windows Defender EG) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline.
+
+#### Minimum baseline configuration setting for Windows Defender EG:
+Endpoints are considered "well configured" for Windows Defender EG if the following requirements are met:
+
+- System level protection settings are configured correctly
+- Attack Surface Reduction rules are configured correctly
+- Controlled Folder Access setting is configured correctly
+
+##### System level protection:
+The following system level configuration settings must be set to **On or Force On**:
+
+1. Control Flow Guard
+2. Data Execution Prevention (DEP)
+3. Randomize memory allocations (Bottom-up ASLR)
+4. Validate exception chains (SEHOP)
+5. Validate heap integrity
+
+>[!NOTE]
+>The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
+>Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+
+##### Attack Surface Reduction (ASR) rules:
+The following ASR rules must be configured to **Block mode**:
+
+Rule description | GUIDs
+-|-
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
+Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+
+>[!NOTE]
+>The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
+>Consider enabling this rule in **Audit** or **Block mode** for better protection.
+
+
+##### Controlled Folder Access
+The Controlled Folder Access setting must be configured to **Audit** or **Block mode**.
+
+>[!NOTE]
+> Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block suspicious applications.
+>Consider enabling Controlled Folder Access for better protection.
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Turn on all system-level Exploit Protection settings
+- Set all ASR rules to enabled or audit mode
+- Turn on Controlled Folder Access
+- Turn on Windows Defender Antivirus on compatible machines
+
+For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
+
+### Windows Defender Application Guard (Windows Defender AG) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline.
+
+#### Minimum baseline configuration setting for Windows Defender AG:
+Endpoints are considered "well configured" for Windows Defender AG if the following requirements are met:
+
+- Hardware and software prerequisites are met
+- Windows Defender AG is turned on compatible machines
+- Managed mode is turned on
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Ensure hardware and software prerequisites are met
+
+ >[!NOTE]
+ >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
+
+- Turn on Windows Defender AG on compatible machines
+- Turn on managed mode
+
+
+For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+
+
+### Windows Defender SmartScreen optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
+
+#### Minimum baseline configuration setting for Windows Defender SmartScreen:
+The following settings must be configured with the following settings:
+- Check apps and files: **Warn** or **Block**
+- SmartScreen for Microsoft Edge: **Warn** or **Block**
+- SmartScreen for Windows Store apps: **Warn** or **Off**
+
+
+You can take the following actions to increase the overall security score of your organization:
+- Set **Check app and files** to **Warn** or **Block**
+- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
+- Set **SmartScreen for Windows Store apps** to **Warn** or **Off**
+
+For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
## Related topics
-- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index a6f76a8f46..0000000000
--- a/windows/threat-protection/windows-defender-atp/security-updates-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title:
-description:
-keywords:
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
----
-
-# Security updates
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index aed38dc020..64db7e6e2b 100644
--- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Check the Windows Defender ATP service health
description: Check Windows Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved.
-keywords: dashboard, service, issues, service health, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time
+keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
+
The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
@@ -33,11 +35,11 @@ You can view details on the service health by clicking the tile from the **Secur
The **Service health** details page has the following tabs:
-- **Current issues**
+- **Current status**
- **Status history**
-## Current issues
-The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
+## Current status
+The **Current status** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
- Date and time for when the issue was detected
- A short description of the issue
diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index 0d217af685..51307867de 100644
--- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection settings
-description: Use the menu to configure the time zone, suppression rules, and view license information.
-keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license, suppression rules
+description: Use the menu to configure the time zone and view license information.
+keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -25,7 +25,9 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
-Use the **Settings** menu  to configure the time zone, suppression rules, and view license information.
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink)
+
+Use the **Settings** menu  to configure the time zone and view license information.
## Time zone settings
The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
@@ -39,7 +41,7 @@ Your current time zone setting is shown in the Windows Defender ATP menu. You ca
### UTC time zone
Windows Defender ATP uses UTC time by default.
-Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. Choosing this setting means that all users will see the same timestamps in Windows Defender ATP, regardless of their regional settings. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
+Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
### Local time zone
You can choose to have Windows Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone.
@@ -55,10 +57,36 @@ To set the time zone:
1. Click the **Settings** menu .
2. Select the **Timezone UTC** indicator.
-3. Select **Timezone Local** or **-8:00**.
+3. Select **Timezone UTC** or your local time zone, for example -7:00.
-## Suppression rules
-The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
+### Regional settings
+To apply different date formats for Windows Defender ATP, use regional settings for IE and Edge. If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser.
+
+
+**Internet Explorer (IE) and Microsoft Edge (Edge)**
+
+IE and Edge use the **Region** settings configured in the **Clocks, Language, and Region** option in the Control panel.
+
+
+#### Known issues with regional formats
+
+**Date and time formats**
+There are some known issues with the time and date formats.
+
+The following date formats are supported:
+- MM/dd/yyyy
+- dd/MM/yyyy
+
+The following date and time formats are currently not supported:
+- Date format yyyy-MM-dd
+- Date format dd-MMM-yy
+- Date format dd/MM/yy
+- Date format MM/dd/yy
+- Date format with yy. Will only show yyyy.
+- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
+
+**Decimal symbol used in numbers**
+Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
## License
Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.
diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
index 108fefc1b7..04e81e2885 100644
--- a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
@@ -23,6 +23,9 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink)
+
Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
## In this section
diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index f802ef999b..1a8543fe50 100644
--- a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink)
+
Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index a7b4331483..109ede1a84 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -48,6 +48,9 @@ If your client secret expires or if you've misplaced the copy provided when you
7. Copy the value and save it in a safe place.
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootcustomti-belowfoldlink)
+
+
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 30083255ae..9fbbf9f078 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -274,6 +274,9 @@ Windows Defender Advanced Threat Protection requires one of the following Micros
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
+
+
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index b04d0fdea3..b8da894820 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -49,6 +49,9 @@ If your client secret expires or if you've misplaced the copy provided when you
7. Copy the value and save it in a safe place.
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
+
+
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 00ddbd8987..c0885c2510 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -50,6 +50,26 @@ If onboarding endpoints successfully completes but Windows Defender ATP does not
For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
+#### Known issues with regional formats
+
+**Date and time formats**
+There are some known issues with the time and date formats.
+
+The following date formats are supported:
+- MM/dd/yyyy
+- dd/MM/yyyy
+
+The following date and time formats are currently not supported:
+- Date format yyyy/MM/dd
+- Date format dd/MM/yy
+- Date format with yy. Will only show yyyy.
+- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
+
+**Use of comma to indicate thousand**
+Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
+
### Related topic
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index 727c6135b0..ae473cd899 100644
--- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
+
Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
You can use the code examples to guide you in creating calls to the custom threat intelligence API.
diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index bcd359ef0c..a0f9d4ce21 100644
--- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,8 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
+
A typical security breach investigation requires a member of a security operations team to:
1. View an alert on the **Security operations dashboard** or **Alerts queue**
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 4f308f2bea..17124a8070 100644
--- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -25,7 +25,7 @@ ms.date: 09/05/2017
[!include[Prerelease information](prerelease.md)]
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink)
>
>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
@@ -101,7 +101,7 @@ Topic | Description
[Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) | Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI.
[Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) | Check the sensor health state on endpoints to verify that they are providing sensor data and communicating with the Windows Defender ATP service.
[Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Use the Preferences setup menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
-[Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) | Configure time zone settings, suppression rules, and view license information.
+[Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) | Configure time zone settings and view license information.
[Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md) | Verify that the service health is running properly or if there are current issues.
[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 0916abe7b6..320ea854bf 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -1,7 +1,7 @@
---
-title: Use Attack Surface Reduction rules to prevent malware infection
+title: Use Attack surface reduction rules to prevent malware infection
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
-keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
+keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -37,11 +37,11 @@ ms.date: 08/25/2017
- Configuration service providers for mobile device management
-Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
+Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
@@ -49,13 +49,13 @@ The feature is comprised of a number of rules, each of which target specific beh
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
-See the [Attack Surface Reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
+See the [Attack surface reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled.
-## Attack Surface Reduction rules
+## Attack surface reduction rules
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
@@ -125,18 +125,18 @@ It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/l
## Requirements
-The following requirements must be met before Attack Surface Reduction will work:
+The following requirements must be met before Attack surface reduction will work:
Windows 10 version | Windows Defender Antivirus
- | -
-Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
-## Review Attack Surface Reduction events in Windows Event Viewer
+## Review Attack surface reduction events in Windows Event Viewer
-You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited):
+You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
@@ -144,13 +144,13 @@ You can review the Windows event log to see events that are created when an Atta
2. On the left panel, under **Actions**, click **Import custom view...**
- 
+ 
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
+5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
Event ID | Description
-|-
@@ -172,7 +172,7 @@ You can review the Windows event log to see events that are created when an Atta
Topic | Description
---|---
-[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
-[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network.
-[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.
+[Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
+[Enable Attack surface reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack surface reduction in your network.
+[Customize Attack surface reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack surface reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 8ca8c4120a..2d4af77fb8 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -34,7 +34,7 @@ You might want to do this when testing how the feature will work in your organiz
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
-You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
@@ -44,10 +44,10 @@ You can use Group Policy, PowerShell, and configuration servicer providers (CSPs
Audit options | How to enable audit mode | How to view events
- | - | -
-Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Audit applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-Audit applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
-Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
+Audit applies to all events | [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable Attack surface reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack surface reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable Network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
+Audit applies to individual mitigations | [Enable Exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
You can also use the a custom PowerShell script that enables the features in audit mode automatically:
@@ -58,7 +58,7 @@ You can also use the a custom PowerShell script that enables the features in aud
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
-3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode:
+3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audie mode:
```PowerShell
Set-ExecutionPolicy Bypass -Force