deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into App-v-revision

Browse Source
This commit is contained in:
Heidi Lohr 2018-08-21 15:11:31 -07:00
commit 7d3869c482
40 changed files with 943 additions and 542 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.openpublishing.redirection.json
View File

@ -5261,11 +5261,6 @@
"redirect_document_id": true
},
{
"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803.md",
"redirect_url": "/windows/configuration/basic-level-windows-diagnostic-events-and-fields",
"redirect_document_id": true
},
{
"source_path": "windows/configuration/windows-diagnostic-data-1709.md",
"redirect_url": "/windows/configuration/windows-diagnostic-data",
"redirect_document_id": true
@ -13731,6 +13726,11 @@
"redirect_document_id": true
},
{
"source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md",
"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803",
"redirect_document_id": true
},
{
"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md",
"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703",
"redirect_document_id": true

4
browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
View File

@ -8,8 +8,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Microsofot gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Microsoft gathers all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | |
|Disabled or not configured<br>**(default)** |0 |0 |Gather and send only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | |
---
### ADMX info and settings

2
browsers/edge/includes/allow-saving-history-include.md
View File

@ -16,7 +16,7 @@
### ADMX info and settings
#### ADMX info
- **GP English name:** Allow saving history
- **GP English name:** Allow Saving History
- **GP name:** AllowSavingHistory
- **GP path:** Windows Components/Microsoft Edge
- **GP ADMX file name:** MicrosoftEdge.admx

2
browsers/edge/includes/configure-autofill-include.md
View File

@ -1,6 +1,6 @@
<!-- ## Configure Autofill -->
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Not configured*
>*Default setting: Not configured (Blank)*
[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)]

2
browsers/edge/includes/configure-do-not-track-include.md
View File

@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured<br>**(default)** |Blank |Blank |Do not send tracking information but let users choose to send tracking information to sites they visit. | |
|Disabled |1 |1 |Never send tracking information. | |
|Disabled |0 |0 |Never send tracking information. | |
|Enabled |1 |1 |Send tracking information. |![Most restricted value](../images/check-gn.png) |
---

2
browsers/edge/includes/configure-home-button-include.md
View File

@ -1,5 +1,5 @@
<!-- ## Configure Home Button-->
>*Supported versions: Microsoft Edge on Windows 10*
>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (Show home button and load the Start page)*

5
browsers/edge/includes/configure-password-manager-include.md
View File

@ -14,9 +14,8 @@
---
Verify not allowed/disabled settings:
1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap ellipses (…).
2. Click **Settings** and select **View Advanced settings**.
3. Verify the settings **Save Password** is toggled off or on and is greyed out.
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the settings **Save Password** is toggled off or on and is greyed out.
### ADMX info and settings
#### ADMX info

2
browsers/edge/includes/configure-search-suggestions-address-bar-include.md
View File

@ -1,6 +1,6 @@
<!-- ## Configure search suggestions in Address bar -->
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Not configured*
>*Default setting: Not configured (Blank)*
[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)]

9
browsers/edge/includes/configure-windows-defender-smartscreen-include.md
View File

@ -8,15 +8,14 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen or not. | |
|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen. | |
|Disabled |0 |0 |Turned off. Do not protect users from potential threats and prevent users from turning it on. | |
|Enabled |1 |1 |Turned on. Protect users from potential threats and prevent users from turning it off. |![Most restricted value](../images/check-gn.png) |
---
To verify Windows Defender SmartScreen is turned off (disabled):
1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap the ellipses (**...**).
2. Click **Settings** and select **View Advanced Settings**.
3. At the bottom, verify that **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.<p>![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG)
To verify Windows Defender SmartScreen is turned off (disabled):
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.<p>![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG)
### ADMX info and settings

2
browsers/edge/includes/disable-lockdown-of-start-pages-include.md
View File

@ -8,7 +8,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |0 |0 |Lockdown Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) |
|Not configured |0 |0 |Lock down Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
---

4
browsers/edge/includes/do-not-sync-include.md
View File

@ -1,6 +1,6 @@
<!-- ## Do not sync -->
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Disabled or not configured (Turned on)*
>*Default setting: Disabled or not configured (Allowed/turned on)*
[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)]
@ -17,7 +17,7 @@
- **GP English name:** Do not sync
- **GP name:** AllowSyncMySettings
- **GP path:** Windows Components/Sync your settings
- **GP ADMX file name:** MicrosoftEdge.admx
- **GP ADMX file name:** SettingSync.admx
#### MDM settings
- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings)

4
browsers/edge/includes/keep-fav-sync-ie-edge-include.md
View File

@ -8,8 +8,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Turned off/not syncing. | |
|Enabled |1 |1 |Turned on/syncing. |![Most restricted value](../images/check-gn.png) |
|Disabled or not configured<br>**(default)** |0 |0 |Turned off/not syncing | |
|Enabled |1 |1 |Turned on/syncing |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

2
browsers/edge/includes/prevent-access-about-flag-include.md
View File

@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Allowed. | |
|Enabled |1 |1 |Prevents users from access the about:flags page. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Prevents users from accessing the about:flags page. |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

2
browsers/edge/includes/prevent-certificate-error-overrides-include.md
View File

@ -7,7 +7,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Overrides the security warning to sites that have SSL errors. | |
|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Override the security warning to sites that have SSL errors. | |
|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) |
---

2
browsers/edge/includes/prevent-live-tile-pinning-start-include.md
View File

@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Collect and send Live Tile metadata. | |
|Enabled |1 |1 |Do not collect. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |No data collected. |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

4
browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
View File

@ -20,8 +20,8 @@ For more details about configuring the browser syncing options, see [Sync browse
#### ADMX info
- **GP English name:** Prevent users from turning on browser syncing
- **GP name:** PreventUsersFromTurningOnBrowserSyncing
- **GP path:** Windows Components/Microsoft Edge
- **GP ADMX file name:** MicrosoftEdge.admx
- **GP path:** Windows Components/Sync your settings
- **GP ADMX file name:** SettingSync.admx
#### MDM settings
- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing)

2
browsers/edge/includes/provision-favorites-include.md
View File

@ -12,7 +12,7 @@
|Group Policy |Description |Most restricted |
|---|---|:---:|
|Disabled or not configured<br>**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file**, and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as: <ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:\Users\\Documents\URLs.html</li></ul></li></ol> |![Most restricted value](../images/check-gn.png) |
|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file**, and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as: <ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul></li></ol> |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

2
browsers/edge/includes/set-default-search-engine-include.md
View File

@ -8,7 +8,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured<br>**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](#allow-search-engine-customization-include) policy, users cannot make changes. | |
|Not configured<br>**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../available-policies.md#allow-search-engine-customization) policy, users cannot make changes. | |
|Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | |
|Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.<p><p>If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) |
---

2
browsers/edge/includes/unlock-home-button-include.md
View File

@ -8,7 +8,7 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Disabled or not configured<br>**(default)** |0 |0 |Lock down the home button to prevent users from making changes to the home button settings. |
|Disabled or not configured<br>**(default)** |0 |0 |Lock down and prevent users from making changes to the home button settings. |
|Enabled |1 |1 |Let users make changes. |
---

2
browsers/edge/shortdesc/configure-favorites-shortdesc.md
View File

@ -1 +1 @@
Use the **[Provision Favorites](../available-policies.md#provision-favorites)** in place of Configure Favorites.
Discontinued in Windows 10, version 1810. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead.

180
windows/application-management/msix-app-packaging-tool.md
View File

@ -23,14 +23,19 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft
- A valid MSA alias (to access the app from the Store)
## What's new
v1.2018.808.0
v1.2018.821.0
- Command Line Support
- Ability to use existing local virtual machines for packaging environment.
- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues.
- Minor updates to the UI for added clarity.
v1.2018.807.0
- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu.
- Fixed an issue where signing in with password protected certificates would fail in the tool.
- Fixed an issue where signing with password protected certificates would fail in the tool.
- Fixed an issue where the tool was crashing when editing an existing MSIX package.
- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures.
- Minor UI tweaks to add clarity.
- Minor updates to the logs for added clarity.
- Minor updates to the logs to add clarity.
## Installing the MSIX Packaging Tool
@ -45,12 +50,169 @@ This is an early preview build and not all features are supported. Here is what
- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon.
- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**.
Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features:
## Creating an application package using the Command line interface
To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window.
- Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0).
- Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM.
- Command Line Interface support
- Conversion of App-V 4.x packages
Here are the parameters that can be passed as command line arguments:
|Parameter |Description |
|---------|---------|
|-? <br> --help | Show help information |
|--template | [required] path to the conversion template XML file containing package information and settings for this conversion |
|--virtualMachinePassword | [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true. |
Examples:
- MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml
- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml --virtualMachinePassword pswd112893
## Conversion template file
```xml
<MsixPackagingToolTemplate
xmlns="http://schemas.microsoft.com/appx/msixpackagingtool/template/2018">
<Settings
AllowTelemetry="true"
ApplyAllPrepareComputerFixes="true"
GenerateCommandLineFile="true"
AllowPromptForPassword="false" >
<ExclusionItems>
<FileExclusion ExcludePath="[{CryptoKeys}]" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Crypto" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Search\Data" />
<FileExclusion ExcludePath="[{Cookies}]" />
<FileExclusion ExcludePath="[{History}]" />
<FileExclusion ExcludePath="[{Cache}]" />
<FileExclusion ExcludePath="[{Personal}]" />
<FileExclusion ExcludePath="[{Profile}]\Local Settings" />
<FileExclusion ExcludePath="[{Profile}]\NTUSER.DAT.LOG1" />
<FileExclusion ExcludePath="[{Profile}]\ NTUSER.DAT.LOG2" />
<FileExclusion ExcludePath="[{Recent}]" />
<FileExclusion ExcludePath="[{Windows}]\debug" />
<FileExclusion ExcludePath="[{Windows}]\Logs\CBS" />
<FileExclusion ExcludePath="[{Windows}]\Temp" />
<FileExclusion ExcludePath="[{Windows}]\WinSxS\ManifestCache" />
<FileExclusion ExcludePath="[{Windows}]\WindowsUpdate.log" />
<FileExclusion ExcludePath="[{AppVPackageDrive}]\$Recycle.Bin " />
<FileExclusion ExcludePath="[{AppVPackageDrive}]\System Volume Information" />
<FileExclusion ExcludePath="[{AppData}]\Microsoft\AppV" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Microsoft Security Client" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Microsoft Antimalware" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Windows Defender" />
<FileExclusion ExcludePath="[{ProgramFiles}]\Microsoft Security Client" />
<FileExclusion ExcludePath="[{ProgramFiles}]\Windows Defender" />
<FileExclusion ExcludePath="[{Local AppData}]\Temp" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Security Client" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Streams" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\AppV" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\AppV" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\AppV" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\AppV" />
</ExclusionItems>
</Settings>
<PrepareComputer
DisableDefragService="true"
DisableWindowsSearchService="true"
DisableSmsHostService="true"
DisableWindowsUpdateService ="true"/>
<!--Note: this section takes precedence over the Settings::ApplyAllPrepareComputerFixes attribute -->
<SaveLocation Path="C:\users\user\Desktop" />
<Installer
Path="C:\MyAppInstaller.msi"
Arguments="/quiet"
InstallLocation="C:\Program Files\MyAppInstallLocation" />
<VirtualMachine Name="vmname" Username="vmusername" />
<PackageInformation
PackageName="MyAppPackageName"
PackageDisplayName="MyApp Display Name"
PublisherName="CN=MyPublisher"
PublisherDisplayName="MyPublisher Display Name"
Version="1.1.0.0"
MainPackageNameForModificationPackage="MainPackageIdentityName">
<Applications>
<Application
Id="MyApp1"
Description="MyApp"
DisplayName="My App"
ExecutableName="MyApp.exe"/>
</Applications>
<Capabilities>
<Capability Name="runFullTrust" />
</Capabilities>
</PackageInformation>
</MsixPackagingToolTemplate>
```
## Conversion template parameter reference
Here is the complete list of parameters that you can use in the Conversion template file.
|ConversionSettings entries |Description |
|---------|---------|
|Settings:: AllowTelemetry |[optional] Enables telemetry logging for this invocation of the tool. |
|Settings:: ApplyAllPrepareComputerFixes |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used. |
|Settings:: GenerateCommandLineFile |[optional] Copies the template file input to the SaveLocation directory for future use. |
|Settings:: AllowPromptForPassword |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified. |
|ExclusionItems |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements. |
|ExclusionItems::FileExclusion |[optional] A file to exclude for packaging. |
|ExclusionItems::FileExclusion::ExcludePath |Path to file to exclude for packaging. |
|ExclusionItems::RegistryExclusion |[optional] A registry key to exclude for packaging. |
|ExclusionItems::RegistryExclusion:: ExcludePath |Path to registry to exclude for packaging. |
|PrepareComputer::DisableDefragService |[optional] Disables Windows Defragmenter while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. |
|PrepareComputer:: DisableWindowsSearchService |[optional] Disables Windows Search while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. |
|PrepareComputer:: DisableSmsHostService |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. |
|PrepareComputer:: DisableWindowsUpdateService |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. |
|SaveLocation |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder. |
|SaveLocation::Path |The path to the folder where the resulting MSIX package is saved. |
|Installer::Path |The path to the application installer. |
|Installer::Arguments |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. |
|Installer::InstallLocation |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation"). |
|VirtualMachine |[optional] An element to specify that the conversion will be run on a local Virtual Machine. |
|VrtualMachine::Name |The name of the Virtual Machine to be used for the conversion environment. |
|VirtualMachine::Username |[optional] The user name for the Virtual Machine to be used for the conversion environment. |
|PackageInformation::PackageName |The Package Name for your MSIX package. |
|PackageInformation::PackageDisplayName |The Package Display Name for your MSIX package. |
|PackageInformation::PublisherName |The Publisher for your MSIX package. |
|PackageInformation::PublisherDisplayName |The Publisher Display Name for your MSIX package. |
|PackageInformation::Version |The version number for your MSIX package. |
|PackageInformation:: MainPackageNameForModificationPackage |[optional] The Package identity name of the main package name. This is used when creating a modification package that takes a dependency on a main (parent) application. |
|Applications |[optional] 0 or more Application elements to configure the Application entries in your MSIX package. |
|Application::Id |The App ID for your MSIX application. This ID will be used for the Application entry detected that matches the specified ExecutableName. You can have multiple Application ID for executables in the package |
|Application::ExecutableName |The executable name for the MSIX application that will be added to the package manifest. The corresponding application entry will be ignored if no application with this name is detected. |
|Application::Description |[optional] The App Description for your MSIX application. If not used, the Application DisplayName will be used. This description will be used for the application entry detected that matches the specified ExecutableName |
|Application::DisplayName |The App Display Name for your MSIX package. This Display Name will be used for the application entry detected that matches the specified ExecutableName |
|Capabilities |[optional] 0 or more Capability elements to add custom capabilities to your MSIX package. “runFullTrust” capability is added by default during conversion. |
|Capability::Name |The capability to add to your MSIX package. |
## Delete temporary conversion files using Command line interface
To delete all the temporary package files, logs, and artifacts created by the tool, run the MsixPackagingTool.exe cleanup command in the Command line window.
Example:
- MsixPackagingTool.exe cleanup
## How to file feedback

2
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/24/2018
ms.date: 08/21/2018
---
# EnterpriseModernAppManagement CSP

BIN
windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 128 KiB

After

Width:  |  Height:  |  Size: 132 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-office.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.4 KiB

After

Width:  |  Height:  |  Size: 11 KiB

11
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1414,6 +1414,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Experience/AllowClipboardHistory</li>
<li>Experience/DoNotSyncBrowserSettings</li>
<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
<li>Kerberos/UPNNameHints</li>
<li>Privacy/AllowCrossDeviceClipboard</li>
<li>Privacy/DisablePrivacyExperience</li>
<li>Privacy/UploadUserActivities</li>
@ -1478,6 +1479,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top">[TenantLockdown CSP](\tenantlockdown--csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added FinalStatus setting in Windows 10, next major version.</p>
</td></tr>
</tbody>
</table>
@ -1763,6 +1768,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added FinalStatus setting in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
<td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
</td></tr>
@ -1801,12 +1810,14 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Browser/UnlockHomeButton</li>
<li>Experience/DoNotSyncBrowserSettings</li>
<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
<li>Kerberos/UPNNameHints</li>
<li>Privacy/AllowCrossDeviceClipboard</li>
<li>Privacy/DisablePrivacyExperience</li>
<li>Privacy/UploadUserActivities</li>
<li>Update/UpdateNotificationLevel</li>
</ul>
<p>Start/DisableContextMenus - added in Windows 10, version 1803.</p>
<p>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.</p>
</td></tr>
</tbody>
</table>

48
windows/client-management/mdm/office-csp.md
View File

@ -6,13 +6,16 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 04/25/2018
ms.date: 08/15/2018
---
# Office CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365).
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).
@ -21,39 +24,44 @@ The following diagram shows the Office configuration service provider in tree fo
![Office CSP diagram](images/provisioning-csp-office.png)
<a href="" id="office"></a>**Office**
<p style="margin-left: 20px">The root node for the Office configuration service provider.</p>
<a href="" id="office"></a>**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
The root node for the Office configuration service provider.</p>
<a href="" id="installation"></a>**Installation**
Specifies the options for the Microsoft Office installation.
<p style="margin-left: 20px">Specifies the options for the Microsoft Office installation.
The supported operations are Add, Delete, Get, and Replace.
<p style="margin-left: 20px">The supported operations are Add, Delete, Get, and Replace.
<a href="" id="id"></a>**Installation/_id_**
Specifies a unique identifier that represents the ID of the Microsoft Office product to install.
<a href="" id="id"></a>**id**
The supported operations are Add, Delete, Get, and Replace.
<p style="margin-left: 20px">Specifies a unique identifier that represents the ID of the Microsoft Office product to install.
<a href="" id="install"></a>**Installation/_id_/Install**
Installs Office by using the XML data specified in the configuration.xml file.
<p style="margin-left: 20px">The supported operations are Add, Delete, Get, and Replace.
The supported operations are Get and Execute.
<a href="" id="install"></a>**Install**
<a href="" id="status"></a>**Installation/_id_/Status**
The Microsoft Office installation status.
<p style="margin-left: 20px">Installs Office by using the XML data specified in the configuration.xml file.
The only supported operation is Get.
<p style="margin-left: 20px">The supported operations are Get and Execute.
<a href="" id="finalstatus"></a>**Installation/_id_/FinalStatus**
Added in Windows 10, next major version. Indicates the status of the Final Office 365 installation.
<a href="" id="status"></a>**Status**
The only supported operation is Get.
<p style="margin-left: 20px">The Microsoft Office installation status.
Behavior:
- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
- When status = 0: 70 (succeeded)
- When status != 0: 60 (failed)
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="currentstatus"></a>**Installation/CurrentStatus**
Returns an XML of current Office 365 installation status on the device.
<a href="" id="currentstatus"></a>**CurrentStatus**
<p style="margin-left: 20px">Returns an XML of current Office 365 installation status on the device.
<p style="margin-left: 20px">The only supported operation is Get.
The only supported operation is Get.
## Examples

68
windows/client-management/mdm/office-ddf.md
View File

@ -7,17 +7,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 12/05/2017
ms.date: 08/15/2018
---
# Office DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is for Windows 10, version 1709.
The XML below is for Windows 10, next major version.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -33,7 +35,7 @@ The XML below is for Windows 10, version 1709.
<AccessType>
<Get />
</AccessType>
<Description>Root of the Office CSP.</Description>
<Description>Root of the office CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -44,7 +46,7 @@ The XML below is for Windows 10, version 1709.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.3/MDM/Office</MIME>
<MIME>com.microsoft/1.5/MDM/Office</MIME>
</DFType>
</DFProperties>
<Node>
@ -53,7 +55,7 @@ The XML below is for Windows 10, version 1709.
<AccessType>
<Get />
</AccessType>
<Description>Installation options for the Office CSP.</Description>
<Description>Installation options for the office CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -98,7 +100,7 @@ The XML below is for Windows 10, version 1709.
<Exec />
<Get />
</AccessType>
<Description>The install action will install Office given the configuration in the data. The string data is the xml configuration to use in order to install Office.</Description>
<Description>The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -134,6 +136,27 @@ The XML below is for Windows 10, version 1709.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FinalStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Final Office 365 installation status.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
@ -175,7 +198,7 @@ The XML below is for Windows 10, version 1709.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.3/MDM/Office</MIME>
<MIME>com.microsoft/1.5/MDM/Office</MIME>
</DFType>
</DFProperties>
<Node>
@ -261,6 +284,27 @@ The XML below is for Windows 10, version 1709.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FinalStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Final Office 365 installation status.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
@ -287,13 +331,3 @@ The XML below is for Windows 10, version 1709.
</Node>
</MgmtTree>
```
 
 

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2060,6 +2060,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize" id="kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd>
<dd>
<a href="./policy-csp-kerberos.md#kerberos-upnnamehints" id="kerberos-upnnamehints">Kerberos/UPNNameHints</a>
</dd>
</dl>
### KioskBrowser policies

160
windows/client-management/mdm/policy-csp-browser.md
View File

@ -425,7 +425,16 @@ Most restricted value: 0
[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../../../browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)]
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow configuration updates for the Books Library*
- GP name: *AllowConfigurationUpdateForBooksLibrary*
- GP path: *Windows Components/Microsoft Edge*
- GP ADMX file name: *MicrosoftEdge.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
@ -476,9 +485,6 @@ Supported values:
<!--Description-->
[!INCLUDE [configure-cookies-shortdesc](../../../browsers/edge/shortdesc/configure-cookies-shortdesc.md)]
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -504,7 +510,7 @@ To verify AllowCookies is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Cookies** is greyed out.
4. Verify the setting **Cookies** is disabled.
<!--/Validation-->
<!--/Policy-->
@ -697,8 +703,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 Prevented/not allowed.
- 1 (default) Allowed.
- 0 Prevented/not allowed
- 1 (default) Allowed
<!--/SupportedValues-->
<!--/Policy-->
@ -758,8 +764,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 Prevented/not allowed.
- 1 (default) Allowed.
- 0 Prevented/not allowed
- 1 (default) Allowed
<!--/SupportedValues-->
<!--/Policy-->
@ -803,7 +809,7 @@ Supported values:
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../../../browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)]
@ -821,9 +827,10 @@ ADMX Info:
Supported values:
- 0 Load and run Adobe Flash content automatically.
- 1 (default) Do not load or run Adobe Flash content automatically. Requires user action.
- 1 (default) Does not load or run Adobe Flash content automatically. Requires action from the user.
Most restricted value: 1
<!--/SupportedValues-->
<!--/Policy-->
@ -882,10 +889,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Prevented/not allowed
- 1 (default) - Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -936,8 +945,6 @@ Most restricted value: 0
<!--Description-->
[!INCLUDE [allow-inprivate-browsing-shortdesc](../../../browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md)]
Most restricted value: 0
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -953,6 +960,8 @@ Supported values:
- 0 Prevented/not allowed
- 1 (default) Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -995,12 +1004,11 @@ Supported values:
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../../../browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md)]
Most restricted value: 0
<!--/Description-->
<!--ADMXMapped-->
@ -1017,6 +1025,8 @@ Supported values:
- 0 Prevented/not allowed
- 1 (default) Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -1074,7 +1084,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- Blank - Users can shoose to save and manage passwords locally.
- Blank - Users can choose to save and manage passwords locally.
- 0 Not allowed.
- 1 (default) Allowed.
@ -1084,10 +1094,8 @@ Most restricted value: 0
<!--Validation-->
To verify AllowPasswordManager is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the settings **Save Password** is disabled.
<!--/Validation-->
<!--/Policy-->
@ -1151,14 +1159,13 @@ Supported values:
- 1 Turn on Pop-up Blocker stopping pop-up windows from opening.
Most restricted value: 1
<!--/SupportedValues-->
<!--Validation-->
To verify AllowPopups is set to 0 (not allowed):
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Block pop-ups** is greyed out.
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the setting **Block pop-ups** is disabled.
<!--/Validation-->
<!--/Policy-->
@ -1219,10 +1226,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Prevented/not allowed
- 1 (default) - Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -1287,10 +1296,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Prevented/not allowed
- 1 (default) - Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -1355,10 +1366,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Prevented/not allowed
- 1 (default) - Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -1408,7 +1421,7 @@ Most restricted value: 0
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-search-engine-customization-shortdesc](../../../browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md)]
@ -1493,6 +1506,7 @@ Supported values:
- 1 Allowed. Show the search suggestions.
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -1543,7 +1557,7 @@ Most restricted value: 0
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Sideloading of extension*
- GP English name: *Allow sideloading of Extensions*
- GP name: *AllowSideloadingOfExtensions*
- GP path: *Windows Components/Microsoft Edge*
- GP ADMX file name: *MicrosoftEdge.admx*
@ -1552,10 +1566,11 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 - Prevented, but does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled).
- 0 - Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled).
- 1 (default) - Allowed.
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -1618,19 +1633,18 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- Blank - Users can choose to use Windows Defender SmartScreen or not.
- Blank - Users can choose to use Windows Defender SmartScreen.
- 0 Turned off. Do not protect users from potential threats and prevent users from turning it on.
- 1 (default) Turned on. Protect users from potential threats and prevent users from turning it off.
Most restricted value: 1
<!--/SupportedValues-->
<!--Validation-->
To verify AllowSmartScreen is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.
<!--/Validation-->
<!--/Policy-->
@ -1691,8 +1705,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) - Allowed. Preload Start and New tab pages.
- 1 - Prevented/not allowed.
- 0 - Prevented/not allowed.
- 1 (default) - Allowed. Preload Start and New tab pages.
Most restricted value: 1
<!--/SupportedValues-->
@ -1747,6 +1761,7 @@ Most restricted value: 1
[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)]
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1832,6 +1847,7 @@ Supported values:
- 1 - Show the Books Library, regardless of the devices country or region.
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -1874,7 +1890,7 @@ Most restricted value: 0
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../../../browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)]
@ -1894,6 +1910,7 @@ Supported values:
- 1 Allowed. Clear the browsing data upon exit automatically.
Most restricted value: 1
<!--/SupportedValues-->
<!--Validation-->
To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
@ -1945,12 +1962,12 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [configure-additional-search-engines-shortdesc](../../../browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md)]
> [!IMPORTANT]
> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled. 
> Due to Protected Settings (aka.ms/browserpolicy), this setting applies only on domain-joined machines or when the device is MDM-enrolled. 
<!--/Description-->
@ -2106,7 +2123,7 @@ Supported values:
- 3 - Hide home button.
>[!TIP]
>If you want to make changes to this policy:<ol><li>Set the **Unlock Home Button** policy to 1 (enabled).</li><li>Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.</li><li>Set the **Unlock Home Button** policy to 0 (disabled).</li></ol>
>If you want to make changes to this policy:<ol><li>Set **UnlockHomeButton** to 1 (enabled).</li><li>Make changes to **ConfigureHomeButton** or **SetHomeButtonURL** policy.</li><li>Set **UnlockHomeButton** 0 (disabled).</li></ol>
<!--/SupportedValues-->
@ -2179,13 +2196,14 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
**0 (Default or not configured)**:
**0 (Default or not configured)**:
- If its a single app, it runs InPrivate full screen for digital signage or interactive displays.
- If its one of many apps, Microsoft Edge runs as normal.
**1**:
**1**:
- • If its a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users cant minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.
- If its one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they cant customize Microsoft Edge.
<!--/SupportedValues-->
<!--Example-->
@ -2239,7 +2257,7 @@ Supported values:
[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
<!--/Description-->
<!--ADMXMapped-->
@ -2253,9 +2271,11 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- **Any integer from 1-1440 (5 minutes is the default)** The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds.
- **0** No idle timer.
<!--/SupportedValues-->
<!--Example-->
@ -2313,8 +2333,8 @@ Supported values:
If you don't want to send traffic to Microsoft, use the \<about:blank\> value, which honors both domain and non domain-joined devices when it's the only configured URL.
**Version 1810**:<br>
When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
**Next major version**:<br>
When you enable this policy and select an option, and also enter the URLs of the pages you want in HomePages, Microsoft Edge ignores HomePages.
<!--/Description-->
<!--ADMXMapped-->
@ -2329,14 +2349,14 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- Blank - If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page.
- Blank - If you don't configure this policy and you set DisableLockdownOfStartPages to 1 (enabled), users can change or customize the Start page.
- 0 - Load the Start page.
- 1 - Load the New tab page.
- 2 - Load the previous pages.
- 3 (default) - Load a specific page or pages.
>[!TIP]
>If you want to make changes to this policy:<ol><li>Set the Disabled Lockdown of Start Pages policy to 0 (not configured).</li><li>Make changes to the Configure Open Microsoft With policy.</li><li>Set the Disabled Lockdown of Start Pages policy to 1 (enabled).</li></ol>
>If you want to make changes to this policy:<ol><li>Set DisableLockdownOfStartPages to 0 (not configured).</li><li>Make changes to ConfigureOpenEdgeWith.</li><li>Set DisableLockdownOfStartPages to 1 (enabled).</li></ol>
<!--/SupportedValues-->
@ -2459,7 +2479,7 @@ Most restricted value: 0
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10*
[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../../../browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
 
@ -2483,8 +2503,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 Locked. Lockdown the Start pages configured in either the Configure Open Microsoft Edge With policy or Configure Start Pages policy. 
- 1 (default) Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy.
- 0 Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy.
- 1 (default) Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy.
Most restricted value: 0
<!--/SupportedValues-->
@ -2544,8 +2564,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) - Gather and send only basic diagnotic data, depending on the device configuration.
- 1 - Gather both basic and additional data, such as usage data.
- 0 (default) - Gather and send only basic diagnostic data, depending on the device configuration.
- 1 - Gather all diagnostic data.
Most restricted value: 0
<!--/SupportedValues-->
@ -2598,7 +2618,6 @@ Most restricted value: 0
 
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -2613,7 +2632,8 @@ ADMX Info:
Supported values:
- 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps.
- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.
- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.<p>For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp).
<!--/SupportedValues-->
<!--/Policy-->
@ -2658,7 +2678,7 @@ Supported values:
<!--/Scope-->
<!--Description-->
> [!IMPORTANT]
> We discontinued this policy in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead.
> Discontinued in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead.
<!--/Description-->
<!--/Policy-->
@ -2707,8 +2727,6 @@ Supported values:
Enter a URL in string format for the site you want to load when Microsoft Edge for Windows 10 Mobile opens for the first time, for example, contoso.com.
Data type = String
<!--/Description-->
<!--/Policy-->
@ -2892,7 +2910,7 @@ Most restricted value: 1
<!--/Scope-->
<!--Description-->
[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)]
[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../../../browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md)]
<!--/Description-->
<!--ADMXMapped-->
@ -2907,7 +2925,7 @@ ADMX Info:
Supported values:
- 0 (default) Allowed.
- 1 Prevented/not allowed. Users cannot access the about:flags page.
- 1 Prevents users from accessing the about:flags page.
Most restricted value: 1
<!--/SupportedValues-->
@ -3036,7 +3054,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) Allowed. Microsoft Edge loads the First Run webpage.
- 0 (default) Allowed. Load the First Run webpage.
- 1 Prevented/not allowed.
Most restricted value: 1
@ -3082,7 +3100,7 @@ Most restricted value: 1
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../../../browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)]
@ -3098,7 +3116,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) Collect and send Live Tile metadata to Microsoft.
- 0 (default) Collect and send Live Tile metadata.
- 1 No data collected.
Most restricted value: 1
@ -3395,9 +3413,9 @@ Most restricted value: 1
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1709*
>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)]
[!INCLUDE [provision-favorites-shortdesc](../../../browsers/edge/shortdesc/provision-favorites-shortdesc.md)]
 
Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.
@ -3405,14 +3423,14 @@ Define a default list of favorites in Microsoft Edge. In this case, the Save a F
To define a default list of favorites:
1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
2. Click **Import from another browser**, click **Export to file** and save the file.
3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. <p><p>Specify the URL as:<ul><li>HTTP location: "SiteList"="http://localhost:8080/URLs.html"</li><li>Local network: "SiteList"="\\network\\shares\\URLs.html"</li><li>Local file: "SiteList"="file:///c:\\Users\\<user\>\\Documents\\URLs.html"</li></ul>
3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. <p><p>Specify the URL as:<ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul>
> [!Important]
> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
>[!IMPORTANT]
>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
Data type = string
<!--/Description-->
<!--ADMXMapped-->
@ -3424,6 +3442,7 @@ ADMX Info:
- GP ADMX file name: *MicrosoftEdge.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
@ -3485,9 +3504,10 @@ ADMX Info:
Supported values:
- 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically.
- 1 - Only intranet sites open in Internet Explorer 11 automatically. Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
- 1 - Only intranet sites open in Internet Explorer 11 automatically.<p><p>Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.<ol><li>In Group Policy Editor, navigate to:<br><br>**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.<p></li><li>Refresh the policy and then view the affected sites in Microsoft Edge.<p><p>A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.</li></ol>
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -3553,7 +3573,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the AllowSearchEngineCustomization policy, users cannot make changes.
- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](https://review.docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser?branch=microsoft-edge-preview#browser-allowsearchenginecustomization) policy, users cannot make changes.
- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market.
- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.<p><p>If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**.
@ -3802,7 +3822,7 @@ Most restricted value: 0
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
@ -3894,7 +3914,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) - Lock down the home button to prevent users from making changes to the settings.
- 0 (default) - Lock down and prevent users from making changes to the settings.
- 1 - Let users make changes.
<!--/SupportedValues-->
@ -3961,7 +3981,7 @@ ADMX Info:
Supported values:
- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user.
- 1 - Allowed. Microsoft Edge downloads book files into a shared folder.
- 1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account.
Most restricted value: 0
<!--/SupportedValues-->

55
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1454,7 +1454,25 @@ Supported values:
- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between users devices and lets users to make changes.
- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
Value type: integer
_**Sync the browser settings automatically**_
Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Prevent syncing of browser settings and prevent users from turning it on**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
_**Prevent syncing of browser settings and let users turn on syncing**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Turn syncing off by default but dont disable**_
Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option.
<!--/SupportedValues-->
<!--Example-->
@ -1508,21 +1526,11 @@ Related policy:
[DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)
If you want to prevent syncing of browser settings and prevent users from turning it on:
1. Set DoNotSyncBrowserSettings to 2 (enabled).
1. Set this policy (PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured).
If you want to prevent syncing of browser settings but give users a choice to turn on syncing:
1. Set DoNotSyncBrowserSettings to 2 (enabled).
2. Set this policy (PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled).
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Do not sync browser settings*
- GP name: *DisableWebBrowserSettingSync*
- GP element: *CheckBox_UserOverride*
- GP English name: *Prevent users from turning on browser syncing*
- GP name: *PreventUsersFromTurningOnBrowserSyncing*
- GP path: *Windows Components/Sync your settings*
- GP ADMX file name: *SettingSync.admx*
@ -1533,17 +1541,30 @@ Supported values:
- 0 - Allowed/turned on. Users can sync the browser settings.
- 1 (default) - Prevented/turned off.
Value type is integer.
_**Sync the browser settings automatically**_
Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Prevent syncing of browser settings and prevent users from turning it on**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
_**Prevent syncing of browser settings and let users turn on syncing**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
**Validation procedure:**
Validation procedure:
Microsoft Edge on your PC:
1. Select **More > Settings**.
1. See if the setting is enabled or disabled based on your setting.
1. See if the setting is enabled or disabled based on your selection.
<!--/Validation-->
<!--/Policy-->

792
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -1,366 +1,426 @@
---
title: Policy CSP - Kerberos
description: Policy CSP - Kerberos
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 03/12/2018
---
# Policy CSP - Kerberos
<hr/>
<!--Policies-->
## Kerberos policies
<dl>
<dd>
<a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
</dd>
<dd>
<a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
</dd>
<dd>
<a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
</dd>
<dd>
<a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
</dd>
<dd>
<a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
---
title: Policy CSP - Kerberos
description: Policy CSP - Kerberos
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/08/2018
---
# Policy CSP - Kerberos
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## Kerberos policies
<dl>
<dd>
<a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
</dd>
<dd>
<a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
</dd>
<dd>
<a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
</dd>
<dd>
<a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
</dd>
<dd>
<a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd>
<dd>
<a href="#kerberos-upnnamehints">Kerberos/UPNNameHints</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-upnnamehints"></a>**Kerberos/UPNNameHints**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal.
Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
<!--/Policies-->

47
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -66,12 +66,59 @@ This security setting allows an administrator to define the members of a securit
Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
Starting in Windows 10, next major version, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
``` syntax
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
<xs:simpleType name="member_name">
<xs:restriction base="xs:string">
<xs:maxLength value="255" />
</xs:restriction>
</xs:simpleType>
<xs:element name="accessgroup">
<xs:complexType>
<xs:sequence>
<xs:element name="member" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Restricted Group Member</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="name" type="member_name" use="required"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="desc" type="member_name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="groupmembership">
<xs:complexType>
<xs:sequence>
<xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Restricted Group</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
Here is an example:
```
<groupmembership>
<accessgroup desc="Administrators">
<member name="Contoso\Alice" />
<member name = "S-188-5-5666-5-688" / >
</accessgroup>
</groupmembership>
```
<!--/Example-->
<!--Validation-->

2
windows/deployment/update/waas-optimize-windows-10-updates.md
View File

@ -27,7 +27,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.

2
windows/privacy/TOC.md
View File

@ -5,7 +5,7 @@
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
## Basic level Windows diagnostic data events and fields
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
## Enhanced level Windows diagnostic data events and fields

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -23,6 +23,8 @@ The Basic level gathers a limited set of information that is critical for unders
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 1803 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803)
- [Windows 10, version 1709 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)

1
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

@ -30,6 +30,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 1803 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803)
- [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
- [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)

0
windows/privacy/basic-level-windows-diagnostic-events-and-fields.md → windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

13
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 06/18/2018
ms.date: 08/21/2018
---
# Trusted Platform Module Technology Overview
@ -68,14 +68,15 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
> The device must be running Windows 10 and it must support at least TPM 2.0 in order to utilize Device Health Attestation.
> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).
## Supported versions
| TPM version | Windows 10 | Windows Server 2016 |
|-------------|------------|---------------------|
| TPM 1.2 | X | X |
| TPM 2.0 | X | X |
| TPM version | Windows 10 | Windows Server 2016 |
|-------------|-------------|---------------------|
| TPM 1.2 | >= ver 1607 | >= ver 1607 |
| TPM 2.0 | X | X |
## Related topics

1
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -21,6 +21,7 @@
### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)

32
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Windows Defender Application Control and .NET Hardening (Windows 10)
description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: morganbr
ms.date: 08/20/2018
---
# Windows Defender Application Control and .NET hardening
Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization.
Security researchers have found that some .NET applications may be used to circumvent those controls by using .NETs capabilities to load libraries from external sources or generate new code on the fly.
Beginning with Windows 10, version 1803, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime.
When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources.
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries.
Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
To enable Dynamic Code Security, add the following option to the <Rules> section of your policy:
```xml
<Rule>
<Option>Enabled:Dynamic Code Security</Option>
</Rule>
```