deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20230807-landing-edu

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-08-07 23:00:08 +02:00
commit 81683e2a2b
31 changed files with 1522 additions and 941 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

326
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/06/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -34,7 +34,9 @@ The following list shows the Defender configuration service provider nodes:
- [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
- [DataDuplicationDirectory](#configurationdataduplicationdirectory)
- [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
- [DataDuplicationMaximumQuota](#configurationdataduplicationmaximumquota)
- [DataDuplicationRemoteLocation](#configurationdataduplicationremotelocation)
- [DaysUntilAggressiveCatchupQuickScan](#configurationdaysuntilaggressivecatchupquickscan)
- [DefaultEnforcement](#configurationdefaultenforcement)
- [DeviceControl](#configurationdevicecontrol)
- [PolicyGroups](#configurationdevicecontrolpolicygroups)
@ -44,6 +46,7 @@ The following list shows the Defender configuration service provider nodes:
- [{RuleId}](#configurationdevicecontrolpolicyrulesruleid)
- [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata)
- [DeviceControlEnabled](#configurationdevicecontrolenabled)
- [DisableCacheMaintenance](#configurationdisablecachemaintenance)
- [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans)
- [DisableDatagramProcessing](#configurationdisabledatagramprocessing)
- [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing)
@ -58,20 +61,24 @@ The following list shows the Defender configuration service provider nodes:
- [DisableSmtpParsing](#configurationdisablesmtpparsing)
- [DisableSshParsing](#configurationdisablesshparsing)
- [DisableTlsParsing](#configurationdisabletlsparsing)
- [EnableConvertWarnToBlock](#configurationenableconvertwarntoblock)
- [EnableDnsSinkhole](#configurationenablednssinkhole)
- [EnableFileHashComputation](#configurationenablefilehashcomputation)
- [EngineUpdatesChannel](#configurationengineupdateschannel)
- [ExcludedIpAddresses](#configurationexcludedipaddresses)
- [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
- [PassiveRemediation](#configurationpassiveremediation)
- [PerformanceModeStatus](#configurationperformancemodestatus)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
- [SecuredDevicesConfiguration](#configurationsecureddevicesconfiguration)
- [SecurityIntelligenceLocationUpdateAtScheduledTimeOnly](#configurationsecurityintelligencelocationupdateatscheduledtimeonly)
- [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel)
- [SupportLogLocation](#configurationsupportloglocation)
- [TamperProtection](#configurationtamperprotection)
@ -306,7 +313,7 @@ This settings controls whether Network Protection is allowed to be configured in
<!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-End -->
<!-- Device-Configuration-AllowSwitchToAsyncInspection-OmaUri-Begin -->
@ -468,6 +475,45 @@ Define the retention period in days of how much time the evidence data will be k
<!-- Device-Configuration-DataDuplicationLocalRetentionPeriod-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Begin -->
### Configuration/DataDuplicationMaximumQuota
<!-- Device-Configuration-DataDuplicationMaximumQuota-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-DataDuplicationMaximumQuota-Applicability-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationMaximumQuota
```
<!-- Device-Configuration-DataDuplicationMaximumQuota-OmaUri-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Description-Begin -->
<!-- Description-Source-DDF -->
Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.
<!-- Device-Configuration-DataDuplicationMaximumQuota-Description-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Editable-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-DataDuplicationMaximumQuota-DFProperties-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Examples-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-End -->
<!-- Device-Configuration-DataDuplicationRemoteLocation-Begin -->
### Configuration/DataDuplicationRemoteLocation
@ -507,6 +553,47 @@ Define data duplication remote location for device control.
<!-- Device-Configuration-DataDuplicationRemoteLocation-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Begin -->
### Configuration/DaysUntilAggressiveCatchupQuickScan
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Applicability-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DaysUntilAggressiveCatchupQuickScan
```
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-OmaUri-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
<!-- Description-Source-DDF -->
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0,7-60]` |
| Default Value | 25 |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-End -->
<!-- Device-Configuration-DefaultEnforcement-Begin -->
### Configuration/DefaultEnforcement
@ -873,6 +960,45 @@ Control Device Control feature.
<!-- Device-Configuration-DeviceControlEnabled-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Begin -->
### Configuration/DisableCacheMaintenance
<!-- Device-Configuration-DisableCacheMaintenance-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-DisableCacheMaintenance-Applicability-End -->
<!-- Device-Configuration-DisableCacheMaintenance-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DisableCacheMaintenance
```
<!-- Device-Configuration-DisableCacheMaintenance-OmaUri-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Description-Begin -->
<!-- Description-Source-DDF -->
Defines whether the cache maintenance idle task will perform the cache maintenance or not.
<!-- Device-Configuration-DisableCacheMaintenance-Description-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCacheMaintenance-Editable-End -->
<!-- Device-Configuration-DisableCacheMaintenance-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-DisableCacheMaintenance-DFProperties-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCacheMaintenance-Examples-End -->
<!-- Device-Configuration-DisableCacheMaintenance-End -->
<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Begin -->
### Configuration/DisableCpuThrottleOnIdleScans
@ -928,7 +1054,7 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
<!-- Device-Configuration-DisableDatagramProcessing-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-DisableDatagramProcessing-Applicability-End -->
<!-- Device-Configuration-DisableDatagramProcessing-OmaUri-Begin -->
@ -1282,7 +1408,7 @@ This setting disables Inbound connection filtering for Network Protection.
<!-- Device-Configuration-DisableLocalAdminMerge-Description-Begin -->
<!-- Description-Source-DDF -->
When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
<!-- Device-Configuration-DisableLocalAdminMerge-Description-End -->
<!-- Device-Configuration-DisableLocalAdminMerge-Editable-Begin -->
@ -1304,8 +1430,8 @@ When this value is set to false, it allows a local admin the ability to specify
| Value | Description |
|:--|:--|
| 1 | Disable Local Admin Merge. |
| 0 (Default) | Enable Local Admin Merge. |
| 1 | Yes. |
| 0 (Default) | No. |
<!-- Device-Configuration-DisableLocalAdminMerge-AllowedValues-End -->
<!-- Device-Configuration-DisableLocalAdminMerge-Examples-Begin -->
@ -1559,6 +1685,55 @@ This setting disables TLS Parsing for Network Protection.
<!-- Device-Configuration-DisableTlsParsing-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Begin -->
### Configuration/EnableConvertWarnToBlock
<!-- Device-Configuration-EnableConvertWarnToBlock-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-EnableConvertWarnToBlock-Applicability-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/EnableConvertWarnToBlock
```
<!-- Device-Configuration-EnableConvertWarnToBlock-OmaUri-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Description-Begin -->
<!-- Description-Source-DDF -->
This setting controls whether network protection blocks network traffic instead of displaying a warning.
<!-- Device-Configuration-EnableConvertWarnToBlock-Description-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Editable-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-EnableConvertWarnToBlock-DFProperties-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | Warn verdicts are converted to block. |
| 0 (Default) | Warn verdicts aren't converted to block. |
<!-- Device-Configuration-EnableConvertWarnToBlock-AllowedValues-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Examples-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-End -->
<!-- Device-Configuration-EnableDnsSinkhole-Begin -->
### Configuration/EnableDnsSinkhole
@ -1710,6 +1885,45 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
<!-- Device-Configuration-EngineUpdatesChannel-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Begin -->
### Configuration/ExcludedIpAddresses
<!-- Device-Configuration-ExcludedIpAddresses-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-ExcludedIpAddresses-Applicability-End -->
<!-- Device-Configuration-ExcludedIpAddresses-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses
```
<!-- Device-Configuration-ExcludedIpAddresses-OmaUri-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Description-Begin -->
<!-- Description-Source-DDF -->
Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
<!-- Device-Configuration-ExcludedIpAddresses-Description-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-ExcludedIpAddresses-Editable-End -->
<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-ExcludedIpAddresses-Examples-End -->
<!-- Device-Configuration-ExcludedIpAddresses-End -->
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Begin -->
### Configuration/HideExclusionsFromLocalAdmins
@ -2008,6 +2222,55 @@ Setting to control automatic remediation for Sense scans.
<!-- Device-Configuration-PassiveRemediation-End -->
<!-- Device-Configuration-PerformanceModeStatus-Begin -->
### Configuration/PerformanceModeStatus
<!-- Device-Configuration-PerformanceModeStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- Device-Configuration-PerformanceModeStatus-Applicability-End -->
<!-- Device-Configuration-PerformanceModeStatus-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/PerformanceModeStatus
```
<!-- Device-Configuration-PerformanceModeStatus-OmaUri-End -->
<!-- Device-Configuration-PerformanceModeStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.
<!-- Device-Configuration-PerformanceModeStatus-Description-End -->
<!-- Device-Configuration-PerformanceModeStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-PerformanceModeStatus-Editable-End -->
<!-- Device-Configuration-PerformanceModeStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-PerformanceModeStatus-DFProperties-End -->
<!-- Device-Configuration-PerformanceModeStatus-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Performance mode is enabled (default). A service restart is required after changing this value. |
| 1 | Performance mode is disabled. A service restart is required after changing this value. |
<!-- Device-Configuration-PerformanceModeStatus-AllowedValues-End -->
<!-- Device-Configuration-PerformanceModeStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-PerformanceModeStatus-Examples-End -->
<!-- Device-Configuration-PerformanceModeStatus-End -->
<!-- Device-Configuration-PlatformUpdatesChannel-Begin -->
### Configuration/PlatformUpdatesChannel
@ -2101,7 +2364,7 @@ In Microsoft Defender Antivirus, randomize the start time of the scan to any int
| Value | Description |
|:--|:--|
| 1 (Default) | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. |
| 0 | Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. |
| 0 | Scheduled tasks won't be randomized. |
<!-- Device-Configuration-RandomizeScheduleTaskTimes-AllowedValues-End -->
<!-- Device-Configuration-RandomizeScheduleTaskTimes-Examples-Begin -->
@ -2239,6 +2502,55 @@ Defines what are the devices primary ids that should be secured by Defender Devi
<!-- Device-Configuration-SecuredDevicesConfiguration-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Begin -->
### Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Applicability-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
```
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-OmaUri-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Description-Begin -->
<!-- Description-Source-DDF -->
This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It's used together with the shared security intelligence location (SecurityIntelligenceLocation).
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Description-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Editable-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-DFProperties-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time. |
| 0 (Default) | If you either disable or don't configure this setting, updates occur whenever a new security intelligence update is detected at the location that's specified by SecurityIntelligenceLocation. |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-AllowedValues-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Examples-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-End -->
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Begin -->
### Configuration/SecurityIntelligenceUpdatesChannel

253
windows/client-management/mdm/defender-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/06/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1033,6 +1033,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ExcludedIpAddresses</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AllowNetworkProtectionOnWinServer</NodeName>
<DFProperties>
@ -1121,7 +1151,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings</Description>
<Description>When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings</Description>
<DFFormat>
<int />
</DFFormat>
@ -1141,11 +1171,11 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Disable Local Admin Merge</MSFT:ValueDescription>
<MSFT:ValueDescription>Yes</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Enable Local Admin Merge</MSFT:ValueDescription>
<MSFT:ValueDescription>No</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -1827,7 +1857,7 @@ The following XML file contains the device description framework (DDF) for the D
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -1842,6 +1872,45 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EnableConvertWarnToBlock</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting controls whether network protection blocks network traffic instead of displaying a warning</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Warn verdicts are converted to block</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Warn verdicts are not converted to block</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisableNetworkProtectionPerfTelemetry</NodeName>
<DFProperties>
@ -1998,6 +2067,84 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PerformanceModeStatus</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22000</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Performance mode is enabled (default). A service restart is required after changing this value.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Performance mode is disabled. A service restart is required after changing this value.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>SecurityIntelligenceLocationUpdateAtScheduledTimeOnly</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It is used together with the shared security intelligence location (SecurityIntelligenceLocation).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you either disable or do not configure this setting, updates occur whenever a new security intelligence update is detected at the location that is specified by SecurityIntelligenceLocation.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ThrottleForScheduledScanOnly</NodeName>
<DFProperties>
@ -2037,6 +2184,38 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DaysUntilAggressiveCatchupQuickScan</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0,7-60]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ASROnlyPerRuleExclusions</NodeName>
<DFProperties>
@ -2157,6 +2336,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DataDuplicationMaximumQuota</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DataDuplicationLocalRetentionPeriod</NodeName>
<DFProperties>
@ -2418,7 +2627,7 @@ The following XML file contains the device description framework (DDF) for the D
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -2467,7 +2676,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.</MSFT:ValueDescription>
<MSFT:ValueDescription>Scheduled tasks will not be randomized.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -2511,6 +2720,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisableCacheMaintenance</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Defines whether the cache maintenance idle task will perform the cache maintenance or not.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>

78
windows/client-management/mdm/firewall-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/15/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Firewall-Begin -->
# Firewall CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Firewall-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.
@ -3061,7 +3063,7 @@ This value configures the security association idle time, in seconds. Security a
<!-- Device-MdmStore-HyperVFirewallRules-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-OmaUri-Begin -->
@ -3100,7 +3102,7 @@ A list of rules controlling traffic through the Windows Firewall for Hyper-V con
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-OmaUri-Begin -->
@ -3142,7 +3144,7 @@ Unique alpha numeric identifier for the rule. The rule name mustn't include a fo
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-OmaUri-Begin -->
@ -3194,7 +3196,7 @@ Specifies the action the rule enforces:
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-OmaUri-Begin -->
@ -3249,7 +3251,7 @@ If not specified the default is OUT.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-OmaUri-Begin -->
@ -3299,7 +3301,7 @@ If not specified - a new rule is disabled by default.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-OmaUri-Begin -->
@ -3351,7 +3353,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-OmaUri-Begin -->
@ -3391,7 +3393,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-OmaUri-Begin -->
@ -3430,7 +3432,7 @@ Specifies the friendly name of the Hyper-V Firewall rule.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-OmaUri-Begin -->
@ -3470,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-OmaUri-Begin -->
@ -3520,7 +3522,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-OmaUri-Begin -->
@ -3560,7 +3562,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-OmaUri-Begin -->
@ -3610,7 +3612,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-OmaUri-Begin -->
@ -3650,7 +3652,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-OmaUri-Begin -->
@ -3689,7 +3691,7 @@ Provides information about the specific version of the rule in deployment for mo
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-OmaUri-Begin -->
@ -3729,7 +3731,7 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G
<!-- Device-MdmStore-HyperVVMSettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-OmaUri-Begin -->
@ -3768,7 +3770,7 @@ Settings for the Windows Firewall for Hyper-V containers. Each setting applies o
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-OmaUri-Begin -->
@ -3810,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-OmaUri-Begin -->
@ -3859,7 +3861,7 @@ This value is used as an on/off switch. If this value is true, applicable host f
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-OmaUri-Begin -->
@ -3909,7 +3911,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-OmaUri-Begin -->
@ -3959,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-OmaUri-Begin -->
@ -3997,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4047,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4097,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4147,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-OmaUri-Begin -->
@ -4196,7 +4198,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-OmaUri-Begin -->
@ -4245,7 +4247,7 @@ This value is an on/off switch for the Hyper-V Firewall. This value controls the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-OmaUri-Begin -->
@ -4294,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-OmaUri-Begin -->
@ -4332,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4382,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4432,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4482,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-OmaUri-Begin -->
@ -4531,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-OmaUri-Begin -->
@ -4569,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4619,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4669,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4719,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-OmaUri-Begin -->

30
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2815,6 +2815,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>
@ -3025,6 +3029,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
@ -3055,6 +3063,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
@ -3244,6 +3256,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
@ -3433,6 +3449,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
@ -4424,6 +4444,10 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>
@ -4808,6 +4832,10 @@ If not specified - a new rule is disabled by default.</Description>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Flag">
<MSFT:Enum>
<MSFT:Value>0x1</MSFT:Value>

34
windows/client-management/mdm/laps-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- LAPS-Begin -->
# LAPS CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LAPS-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@ -54,7 +56,7 @@ The following list shows the LAPS configuration service provider nodes:
<!-- Device-Actions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-Applicability-End -->
<!-- Device-Actions-OmaUri-Begin -->
@ -93,7 +95,7 @@ Defines the parent interior node for all action-related settings in the LAPS CSP
<!-- Device-Actions-ResetPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-ResetPassword-Applicability-End -->
<!-- Device-Actions-ResetPassword-OmaUri-Begin -->
@ -133,7 +135,7 @@ This action invokes an immediate reset of the local administrator account passwo
<!-- Device-Actions-ResetPasswordStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-ResetPasswordStatus-Applicability-End -->
<!-- Device-Actions-ResetPasswordStatus-OmaUri-Begin -->
@ -178,7 +180,7 @@ The value returned is an HRESULT code:
<!-- Device-Policies-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-Applicability-End -->
<!-- Device-Policies-OmaUri-Begin -->
@ -218,7 +220,7 @@ Root node for LAPS policies.
<!-- Device-Policies-ADEncryptedPasswordHistorySize-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADEncryptedPasswordHistorySize-Applicability-End -->
<!-- Device-Policies-ADEncryptedPasswordHistorySize-OmaUri-Begin -->
@ -268,7 +270,7 @@ This setting has a maximum allowed value of 12 passwords.
<!-- Device-Policies-AdministratorAccountName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-AdministratorAccountName-Applicability-End -->
<!-- Device-Policies-AdministratorAccountName-OmaUri-Begin -->
@ -313,7 +315,7 @@ Note if a custom managed local administrator account name is specified in this s
<!-- Device-Policies-ADPasswordEncryptionEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADPasswordEncryptionEnabled-Applicability-End -->
<!-- Device-Policies-ADPasswordEncryptionEnabled-OmaUri-Begin -->
@ -375,7 +377,7 @@ If not specified, this setting defaults to True.
<!-- Device-Policies-ADPasswordEncryptionPrincipal-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADPasswordEncryptionPrincipal-Applicability-End -->
<!-- Device-Policies-ADPasswordEncryptionPrincipal-OmaUri-Begin -->
@ -431,7 +433,7 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-BackupDirectory-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-BackupDirectory-Applicability-End -->
<!-- Device-Policies-BackupDirectory-OmaUri-Begin -->
@ -489,7 +491,7 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-PasswordAgeDays-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordAgeDays-Applicability-End -->
<!-- Device-Policies-PasswordAgeDays-OmaUri-Begin -->
@ -537,7 +539,7 @@ This setting has a maximum allowed value of 365 days.
<!-- Device-Policies-PasswordComplexity-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordComplexity-Applicability-End -->
<!-- Device-Policies-PasswordComplexity-OmaUri-Begin -->
@ -599,7 +601,7 @@ If not specified, this setting will default to 4.
<!-- Device-Policies-PasswordExpirationProtectionEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordExpirationProtectionEnabled-Applicability-End -->
<!-- Device-Policies-PasswordExpirationProtectionEnabled-OmaUri-Begin -->
@ -655,7 +657,7 @@ If not specified, this setting defaults to True.
<!-- Device-Policies-PasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordLength-Applicability-End -->
<!-- Device-Policies-PasswordLength-OmaUri-Begin -->
@ -702,7 +704,7 @@ This setting has a maximum allowed value of 64 characters.
<!-- Device-Policies-PostAuthenticationActions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PostAuthenticationActions-Applicability-End -->
<!-- Device-Policies-PostAuthenticationActions-OmaUri-Begin -->
@ -759,7 +761,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
<!-- Device-Policies-PostAuthenticationResetDelay-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PostAuthenticationResetDelay-Applicability-End -->
<!-- Device-Policies-PostAuthenticationResetDelay-OmaUri-Begin -->

52
windows/client-management/mdm/passportforwork-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -34,6 +34,7 @@ The following list shows the PassportForWork configuration service provider node
- [Policies](#devicetenantidpolicies)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
- [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
- [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices)
- [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12)
- [PINComplexity](#devicetenantidpoliciespincomplexity)
@ -265,6 +266,55 @@ If the user forgets their PIN, it can be changed to a new PIN using the Windows
<!-- Device-{TenantId}-Policies-EnablePinRecovery-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Begin -->
#### Device/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Applicability-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys
```
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-OmaUri-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Description-Begin -->
<!-- Description-Source-DDF -->
Enable Windows Hello provisioning if users sign-in to their devices with FIDO2 security keys.
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Description-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Editable-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-DFProperties-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | Disabled. |
| true | Enabled. |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-AllowedValues-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Examples-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-End -->
<!-- Device-{TenantId}-Policies-ExcludeSecurityDevices-Begin -->
#### Device/{TenantId}/Policies/ExcludeSecurityDevices

41
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -814,6 +814,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EnableWindowsHelloProvisioningForSecurityKeys</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Enable Windows Hello provisioning if users sign-in to their devices with FIDO2 security keys.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisablePostLogonProvisioning</NodeName>
<DFProperties>

424
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/01/2023
ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -64,8 +64,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## ADMX_AppXRuntime
- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md)
@ -141,7 +139,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md)
@ -221,7 +218,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoRecycleBinIcon](policy-csp-admx-desktop.md)
- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md)
- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md)
- [NoDesktop](policy-csp-admx-desktop.md)
## ADMX_DeviceCompat
@ -542,7 +538,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md)
- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md)
- [RSoPLogging](policy-csp-admx-grouppolicy.md)
- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md)
- [FontMitigation](policy-csp-admx-grouppolicy.md)
## ADMX_Help
@ -1163,10 +1158,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## ADMX_PowerShellExecutionPolicy
- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
@ -1339,7 +1330,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md)
- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md)
- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md)
- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md)
- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md)
## ADMX_sdiageng
@ -1509,14 +1499,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoAutoTrayNotify](policy-csp-admx-startmenu.md)
- [Intellimenus](policy-csp-admx-startmenu.md)
- [NoInstrumentation](policy-csp-admx-startmenu.md)
- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md)
- [NoSetTaskbar](policy-csp-admx-startmenu.md)
- [NoChangeStartMenu](policy-csp-admx-startmenu.md)
- [NoUninstallFromStart](policy-csp-admx-startmenu.md)
- [NoTrayContextMenu](policy-csp-admx-startmenu.md)
- [NoMoreProgramsList](policy-csp-admx-startmenu.md)
- [HidePowerOptions](policy-csp-admx-startmenu.md)
- [NoRun](policy-csp-admx-startmenu.md)
## ADMX_SystemRestore
@ -1590,8 +1573,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md)
- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md)
- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md)
- [DisableNotificationCenter](policy-csp-admx-taskbar.md)
- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md)
## ADMX_tcpip
@ -1849,132 +1830,13 @@ This article lists the ADMX-backed policies in Policy CSP.
- [Travel](policy-csp-admx-userexperiencevirtualization.md)
- [Video](policy-csp-admx-userexperiencevirtualization.md)
- [Weather](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
- [Calculator](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md)
- [Notepad](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md)
- [Wordpad](policy-csp-admx-userexperiencevirtualization.md)
- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md)
- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md)
- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md)
- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md)
- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md)
- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md)
- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md)
- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md)
- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md)
- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md)
- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md)
- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md)
- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md)
- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md)
- [Finance](policy-csp-admx-userexperiencevirtualization.md)
- [Games](policy-csp-admx-userexperiencevirtualization.md)
- [Maps](policy-csp-admx-userexperiencevirtualization.md)
- [Music](policy-csp-admx-userexperiencevirtualization.md)
- [News](policy-csp-admx-userexperiencevirtualization.md)
- [Reader](policy-csp-admx-userexperiencevirtualization.md)
- [Sports](policy-csp-admx-userexperiencevirtualization.md)
- [Travel](policy-csp-admx-userexperiencevirtualization.md)
- [Video](policy-csp-admx-userexperiencevirtualization.md)
- [Weather](policy-csp-admx-userexperiencevirtualization.md)
## ADMX_UserProfiles
@ -2089,35 +1951,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md)
- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md)
- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md)
- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md)
- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md)
- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md)
- [ShowSleepOption](policy-csp-admx-windowsexplorer.md)
- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md)
- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md)
- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md)
- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
## ADMX_WindowsMediaDRM
@ -2174,7 +2012,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md)
- [SoftwareSASGeneration](policy-csp-admx-winlogon.md)
- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md)
- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md)
## ADMX_Winsrv
@ -2204,7 +2041,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoQuietHours](policy-csp-admx-wpn.md)
- [NoToastNotification](policy-csp-admx-wpn.md)
- [NoLockScreenToastNotification](policy-csp-admx-wpn.md)
- [NoToastNotification](policy-csp-admx-wpn.md)
## AppRuntime
@ -2249,9 +2085,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## Autoplay
- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
- [TurnOffAutoPlay](policy-csp-autoplay.md)
- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
- [TurnOffAutoPlay](policy-csp-autoplay.md)
@ -2279,7 +2112,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## CredentialsUI
- [DisablePasswordReveal](policy-csp-credentialsui.md)
- [DisablePasswordReveal](policy-csp-credentialsui.md)
- [EnumerateAdministrators](policy-csp-credentialsui.md)
@ -2608,264 +2440,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [DisableHTMLApplication](policy-csp-internetexplorer.md)
- [AddSearchProvider](policy-csp-internetexplorer.md)
- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md)
- [DisableUpdateCheck](policy-csp-internetexplorer.md)
- [DisableProxyChange](policy-csp-internetexplorer.md)
- [DisableSearchProviderChange](policy-csp-internetexplorer.md)
- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md)
- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md)
- [AllowSuggestedSites](policy-csp-internetexplorer.md)
- [DisableCompatView](policy-csp-internetexplorer.md)
- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md)
- [DisableFirstRunWizard](policy-csp-internetexplorer.md)
- [DisableFlipAheadFeature](policy-csp-internetexplorer.md)
- [DisableGeolocation](policy-csp-internetexplorer.md)
- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md)
- [NewTabDefaultPage](policy-csp-internetexplorer.md)
- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md)
- [SearchProviderList](policy-csp-internetexplorer.md)
- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md)
- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md)
- [AllowActiveXFiltering](policy-csp-internetexplorer.md)
- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md)
- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md)
- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md)
- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md)
- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md)
- [DisableInternetExplorerApp](policy-csp-internetexplorer.md)
- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md)
- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md)
- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md)
- [JScriptReplacement](policy-csp-internetexplorer.md)
- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md)
- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md)
- [DisableEncryptionSupport](policy-csp-internetexplorer.md)
- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md)
- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md)
- [IncludeAllLocalSites](policy-csp-internetexplorer.md)
- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md)
- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md)
- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [AllowAddOnList](policy-csp-internetexplorer.md)
- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md)
- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md)
- [DisableEnclosureDownloading](policy-csp-internetexplorer.md)
- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md)
- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md)
- [AllowOneWordEntry](policy-csp-internetexplorer.md)
- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md)
- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md)
- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
- [AllowFallbackToSSL3](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md)
- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md)
- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md)
- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md)
- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md)
- [DisableConfiguringHistory](policy-csp-internetexplorer.md)
- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md)
- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md)
- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md)
- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md)
- [DisableCrashDetection](policy-csp-internetexplorer.md)
- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md)
- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md)
- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md)
- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md)
- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md)
- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md)
- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [DisableHTMLApplication](policy-csp-internetexplorer.md)
## Kerberos
@ -3024,7 +2603,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## WindowsPowerShell
- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
## Related articles

75
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -40,8 +40,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md)
- [AllowGameDVR](policy-csp-applicationmanagement.md)
- [AllowSharedUserAppData](policy-csp-applicationmanagement.md)
- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md)
- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md)
- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md)
- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md)
- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md)
@ -125,59 +123,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## Browser
- [AllowAddressBarDropdown](policy-csp-browser.md)
- [AllowAutofill](policy-csp-browser.md)
- [AllowCookies](policy-csp-browser.md)
- [AllowDeveloperTools](policy-csp-browser.md)
- [AllowDoNotTrack](policy-csp-browser.md)
- [AllowExtensions](policy-csp-browser.md)
- [AllowFlash](policy-csp-browser.md)
- [AllowFlashClickToRun](policy-csp-browser.md)
- [AllowFullScreenMode](policy-csp-browser.md)
- [AllowInPrivate](policy-csp-browser.md)
- [AllowMicrosoftCompatibilityList](policy-csp-browser.md)
- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md)
- [AllowPasswordManager](policy-csp-browser.md)
- [AllowPopups](policy-csp-browser.md)
- [AllowPrinting](policy-csp-browser.md)
- [AllowSavingHistory](policy-csp-browser.md)
- [AllowSearchEngineCustomization](policy-csp-browser.md)
- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md)
- [AllowSideloadingOfExtensions](policy-csp-browser.md)
- [AllowSmartScreen](policy-csp-browser.md)
- [AllowWebContentOnNewTabPage](policy-csp-browser.md)
- [AlwaysEnableBooksLibrary](policy-csp-browser.md)
- [ClearBrowsingDataOnExit](policy-csp-browser.md)
- [ConfigureAdditionalSearchEngines](policy-csp-browser.md)
- [ConfigureFavoritesBar](policy-csp-browser.md)
- [ConfigureHomeButton](policy-csp-browser.md)
- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md)
- [DisableLockdownOfStartPages](policy-csp-browser.md)
- [EnableExtendedBooksTelemetry](policy-csp-browser.md)
- [AllowTabPreloading](policy-csp-browser.md)
- [AllowPrelaunch](policy-csp-browser.md)
- [EnterpriseModeSiteList](policy-csp-browser.md)
- [PreventTurningOffRequiredExtensions](policy-csp-browser.md)
- [HomePages](policy-csp-browser.md)
- [LockdownFavorites](policy-csp-browser.md)
- [ConfigureKioskMode](policy-csp-browser.md)
- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md)
- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md)
- [PreventFirstRunPage](policy-csp-browser.md)
- [PreventCertErrorOverrides](policy-csp-browser.md)
- [PreventSmartScreenPromptOverride](policy-csp-browser.md)
- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md)
- [PreventLiveTileDataCollection](policy-csp-browser.md)
- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md)
- [ProvisionFavorites](policy-csp-browser.md)
- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md)
- [SetDefaultSearchEngine](policy-csp-browser.md)
- [SetHomeButtonURL](policy-csp-browser.md)
- [SetNewTabPageURL](policy-csp-browser.md)
- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md)
- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md)
- [UnlockHomeButton](policy-csp-browser.md)
- [UseSharedFolderForBooks](policy-csp-browser.md)
- [AllowAddressBarDropdown](policy-csp-browser.md)
- [AllowAutofill](policy-csp-browser.md)
- [AllowCookies](policy-csp-browser.md)
@ -252,6 +197,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md)
- [TLSCipherSuites](policy-csp-cryptography.md)
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md)
## Defender
@ -347,7 +294,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [EnablePerProcessDpi](policy-csp-display.md)
- [TurnOnGdiDPIScalingForApps](policy-csp-display.md)
- [TurnOffGdiDPIScalingForApps](policy-csp-display.md)
- [EnablePerProcessDpi](policy-csp-display.md)
- [EnablePerProcessDpiForApps](policy-csp-display.md)
- [DisablePerProcessDpiForApps](policy-csp-display.md)
@ -630,7 +576,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [PublishUserActivities](policy-csp-privacy.md)
- [UploadUserActivities](policy-csp-privacy.md)
- [AllowCrossDeviceClipboard](policy-csp-privacy.md)
- [DisablePrivacyExperience](policy-csp-privacy.md)
- [LetAppsActivateWithVoice](policy-csp-privacy.md)
- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md)
@ -664,7 +609,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureTaskbarCalendar](policy-csp-settings.md)
- [PageVisibilityList](policy-csp-settings.md)
- [PageVisibilityList](policy-csp-settings.md)
- [AllowOnlineTips](policy-csp-settings.md)
## SmartScreen
@ -691,18 +635,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md)
- [DisableControlCenter](policy-csp-start.md)
- [ForceStartSize](policy-csp-start.md)
- [DisableContextMenus](policy-csp-start.md)
- [ShowOrHideMostUsedApps](policy-csp-start.md)
- [HideFrequentlyUsedApps](policy-csp-start.md)
- [HideRecentlyAddedApps](policy-csp-start.md)
- [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md)
- [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [SimplifyQuickSettings](policy-csp-start.md)
- [DisableEditingQuickSettings](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md)
## Storage
@ -721,7 +655,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowBuildPreview](policy-csp-system.md)
- [AllowFontProviders](policy-csp-system.md)
- [AllowLocation](policy-csp-system.md)
- [AllowTelemetry](policy-csp-system.md)
- [TelemetryProxy](policy-csp-system.md)
- [DisableOneDriveFileSync](policy-csp-system.md)
- [AllowWUfBCloudProcessing](policy-csp-system.md)
@ -767,7 +700,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md)
- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md)
- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
## Troubleshooting
@ -842,6 +774,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md)
- [AllowOptionalContent](policy-csp-update.md)
## UserRights

9
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/01/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -73,6 +73,12 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy)
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
- [TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites)
## Defender
@ -313,6 +319,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md#allowautowindowsupdatedownloadovermeterednetwork)
- [AllowMUUpdateService](policy-csp-update.md#allowmuupdateservice)
- [AllowNonMicrosoftSignedUpdate](policy-csp-update.md#allownonmicrosoftsignedupdate)
- [AllowOptionalContent](policy-csp-update.md#allowoptionalcontent)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [AllowUpdateService](policy-csp-update.md#allowupdateservice)
- [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel)

2
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage

4
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the AboveLock Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -29,7 +29,7 @@ ms.topic: reference
<!-- AllowActionCenterNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowActionCenterNotifications-Applicability-End -->
<!-- AllowActionCenterNotifications-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -435,7 +435,7 @@ Manages a Windows app's ability to share data between users who have installed t
<!-- AllowStore-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> Education <br> ❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> Education <br> ❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowStore-Applicability-End -->
<!-- AllowStore-OmaUri-Begin -->
@ -487,7 +487,7 @@ This policy is deprecated.
<!-- ApplicationRestrictions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- ApplicationRestrictions-Applicability-End -->
<!-- ApplicationRestrictions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-browser.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -185,7 +185,7 @@ To verify AllowAutofill is set to 0 (not allowed):
<!-- AllowBrowser-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowBrowser-Applicability-End -->
<!-- AllowBrowser-OmaUri-Begin -->
@ -2720,7 +2720,7 @@ Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseM
<!-- FirstRunURL-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- FirstRunURL-Applicability-End -->
<!-- FirstRunURL-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -259,7 +259,7 @@ To validate, the enterprise can confirm by observing the roaming enable switch i
<!-- AllowNFC-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowNFC-Applicability-End -->
<!-- AllowNFC-OmaUri-Begin -->
@ -382,7 +382,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
<!-- AllowUSBConnection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowUSBConnection-Applicability-End -->
<!-- AllowUSBConnection-OmaUri-Begin -->

304
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Cryptography Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Cryptography-Begin -->
# Policy CSP - Cryptography
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Cryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Cryptography-Editable-End -->
@ -78,6 +80,283 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- AllowFipsAlgorithmPolicy-End -->
<!-- ConfigureEllipticCurveCryptography-Begin -->
## ConfigureEllipticCurveCryptography
<!-- ConfigureEllipticCurveCryptography-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- ConfigureEllipticCurveCryptography-Applicability-End -->
<!-- ConfigureEllipticCurveCryptography-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureEllipticCurveCryptography
```
<!-- ConfigureEllipticCurveCryptography-OmaUri-End -->
<!-- ConfigureEllipticCurveCryptography-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
- If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line)
- If you disable or don't configure this policy setting, the default ECC curve order is used.
Default Curve Order
curve25519
NistP256
NistP384
To See all the curves supported on the system, Use the following command:
CertUtil.exe -DisplayEccCurve.
<!-- ConfigureEllipticCurveCryptography-Description-End -->
<!-- ConfigureEllipticCurveCryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureEllipticCurveCryptography-Editable-End -->
<!-- ConfigureEllipticCurveCryptography-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- ConfigureEllipticCurveCryptography-DFProperties-End -->
<!-- ConfigureEllipticCurveCryptography-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SSLCurveOrder |
| Friendly Name | ECC Curve Order |
| Location | Computer Configuration |
| Path | Network > SSL Configuration Settings |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
| ADMX File Name | CipherSuiteOrder.admx |
<!-- ConfigureEllipticCurveCryptography-GpMapping-End -->
<!-- ConfigureEllipticCurveCryptography-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureEllipticCurveCryptography-Examples-End -->
<!-- ConfigureEllipticCurveCryptography-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Begin -->
## ConfigureSystemCryptographyForceStrongKeyProtection
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureSystemCryptographyForceStrongKeyProtection
```
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Description-Begin -->
<!-- Description-Source-DDF -->
System cryptography: Force strong key protection for user keys stored on the computer. Last write wins.
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Description-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Editable-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 2 |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-DFProperties-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-AllowedValues-Begin -->
**Allowed values**:
| Flag | Description |
|:--|:--|
| 8 | An app container has accessed a medium key that isn't strongly protected. For example, a key that's for user consent only, or is password or fingerprint protected. |
| 2 (Default) | Force high protection. |
| 1 | Display the strong key user interface as needed. |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-AllowedValues-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Examples-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Begin -->
## OverrideMinimumEnabledDTLSVersionClient
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionClient
```
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionClient-Description-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Editable-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledDTLSVersionClient-DFProperties-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Examples-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Begin -->
## OverrideMinimumEnabledDTLSVersionServer
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionServer
```
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionServer-Description-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Editable-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledDTLSVersionServer-DFProperties-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Examples-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Begin -->
## OverrideMinimumEnabledTLSVersionClient
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionClient
```
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionClient-Description-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionClient-Editable-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledTLSVersionClient-DFProperties-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionClient-Examples-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Begin -->
## OverrideMinimumEnabledTLSVersionServer
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionServer
```
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionServer-Description-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionServer-Editable-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledTLSVersionServer-DFProperties-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionServer-Examples-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-End -->
<!-- TLSCipherSuites-Begin -->
## TLSCipherSuites
@ -94,8 +373,14 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- TLSCipherSuites-OmaUri-End -->
<!-- TLSCipherSuites-Description-Begin -->
<!-- Description-Source-DDF -->
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
<!-- Description-Source-ADMX -->
This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
- If you enable this policy setting, SSL cipher suites are prioritized in the order specified.
- If you disable or don't configure this policy setting, default cipher suite order is used.
Link for all the cipherSuites: <https://go.microsoft.com/fwlink/?LinkId=517265>
<!-- TLSCipherSuites-Description-End -->
<!-- TLSCipherSuites-Editable-Begin -->
@ -112,6 +397,19 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
| Allowed Values | List (Delimiter: `;`) |
<!-- TLSCipherSuites-DFProperties-End -->
<!-- TLSCipherSuites-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SSLCipherSuiteOrder |
| Friendly Name | SSL Cipher Suite Order |
| Location | Computer Configuration |
| Path | Network > SSL Configuration Settings |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
| ADMX File Name | CipherSuiteOrder.admx |
<!-- TLSCipherSuites-GpMapping-End -->
<!-- TLSCipherSuites-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TLSCipherSuites-Examples-End -->

5
windows/client-management/mdm/policy-csp-defender.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -444,6 +444,9 @@ This policy setting allows you to manage whether or not to scan for malicious so
<!-- AllowIntrusionPreventionSystem-Begin -->
## AllowIntrusionPreventionSystem
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- AllowIntrusionPreventionSystem-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|

6
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -121,7 +121,7 @@ Allow Administrator account lockout This security setting determines whether the
<!-- AllowIdleReturnWithoutPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowIdleReturnWithoutPassword-Applicability-End -->
<!-- AllowIdleReturnWithoutPassword-OmaUri-Begin -->
@ -789,7 +789,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-Applicability-End -->
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-OmaUri-Begin -->

2
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -46,6 +46,8 @@ This policy is intended to provide more security against external DMA capable de
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy requires a system reboot to take effect.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
<!-- DeviceEnumerationPolicy-Editable-End -->

8
windows/client-management/mdm/policy-csp-experience.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/06/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -107,7 +107,7 @@ Policy change takes effect immediately.
<!-- AllowCopyPaste-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowCopyPaste-Applicability-End -->
<!-- AllowCopyPaste-OmaUri-Begin -->
@ -840,7 +840,7 @@ This policy allows you to prevent Windows from using diagnostic data to provide
<!-- AllowTaskSwitcher-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowTaskSwitcher-Applicability-End -->
<!-- AllowTaskSwitcher-OmaUri-Begin -->
@ -956,7 +956,7 @@ Specifies whether to allow app and content suggestions from third-party software
<!-- AllowVoiceRecording-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowVoiceRecording-Applicability-End -->
<!-- AllowVoiceRecording-OmaUri-Begin -->

298
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- MixedReality-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-hardware). They're not supported on HoloLens (first gen) Development Edition or HoloLens (first gen) Commercial Suite devices.
@ -538,6 +540,153 @@ Windows Network Connectivity Status Indicator may get a false positive internet-
<!-- DisallowNetworkConnectivityPassivePolling-End -->
<!-- EnableStartMenuSingleHandGesture-Begin -->
## EnableStartMenuSingleHandGesture
<!-- EnableStartMenuSingleHandGesture-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuSingleHandGesture-Applicability-End -->
<!-- EnableStartMenuSingleHandGesture-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuSingleHandGesture
```
<!-- EnableStartMenuSingleHandGesture-OmaUri-End -->
<!-- EnableStartMenuSingleHandGesture-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu is enabled or not.
<!-- EnableStartMenuSingleHandGesture-Description-End -->
<!-- EnableStartMenuSingleHandGesture-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuSingleHandGesture-Editable-End -->
<!-- EnableStartMenuSingleHandGesture-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuSingleHandGesture-DFProperties-End -->
<!-- EnableStartMenuSingleHandGesture-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Don't allow pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu. |
| 1 (Default) | Allow pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu. |
<!-- EnableStartMenuSingleHandGesture-AllowedValues-End -->
<!-- EnableStartMenuSingleHandGesture-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuSingleHandGesture-Examples-End -->
<!-- EnableStartMenuSingleHandGesture-End -->
<!-- EnableStartMenuVoiceCommand-Begin -->
## EnableStartMenuVoiceCommand
<!-- EnableStartMenuVoiceCommand-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuVoiceCommand-Applicability-End -->
<!-- EnableStartMenuVoiceCommand-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuVoiceCommand
```
<!-- EnableStartMenuVoiceCommand-OmaUri-End -->
<!-- EnableStartMenuVoiceCommand-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if using voice commands to open the Start menu is enabled or not.
<!-- EnableStartMenuVoiceCommand-Description-End -->
<!-- EnableStartMenuVoiceCommand-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuVoiceCommand-Editable-End -->
<!-- EnableStartMenuVoiceCommand-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuVoiceCommand-DFProperties-End -->
<!-- EnableStartMenuVoiceCommand-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Using voice commands to open the Start menu is disabled. |
| 1 (Default) | Using voice commands to open the Start menu is enabled. |
<!-- EnableStartMenuVoiceCommand-AllowedValues-End -->
<!-- EnableStartMenuVoiceCommand-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuVoiceCommand-Examples-End -->
<!-- EnableStartMenuVoiceCommand-End -->
<!-- EnableStartMenuWristTap-Begin -->
## EnableStartMenuWristTap
<!-- EnableStartMenuWristTap-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuWristTap-Applicability-End -->
<!-- EnableStartMenuWristTap-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuWristTap
```
<!-- EnableStartMenuWristTap-OmaUri-End -->
<!-- EnableStartMenuWristTap-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if tapping the Star icon on your wrist to open the Start menu is enabled or not.
<!-- EnableStartMenuWristTap-Description-End -->
<!-- EnableStartMenuWristTap-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuWristTap-Editable-End -->
<!-- EnableStartMenuWristTap-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuWristTap-DFProperties-End -->
<!-- EnableStartMenuWristTap-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Don't allow tapping the Start icon on your wrist to open the Start menu. |
| 1 (Default) | Allow tapping the Start icon on your wrist to open the Start menu. |
<!-- EnableStartMenuWristTap-AllowedValues-End -->
<!-- EnableStartMenuWristTap-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuWristTap-Examples-End -->
<!-- EnableStartMenuWristTap-End -->
<!-- EyeTrackingCalibrationPrompt-Begin -->
## EyeTrackingCalibrationPrompt
@ -852,6 +1001,153 @@ The following example XML string shows the value to enable this policy:
<!-- NtpClientEnabled-End -->
<!-- PreferLogonAsOtherUser-Begin -->
## PreferLogonAsOtherUser
<!-- PreferLogonAsOtherUser-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- PreferLogonAsOtherUser-Applicability-End -->
<!-- PreferLogonAsOtherUser-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/PreferLogonAsOtherUser
```
<!-- PreferLogonAsOtherUser-OmaUri-End -->
<!-- PreferLogonAsOtherUser-Description-Begin -->
<!-- Description-Source-DDF -->
This policy configures whether the Sign-In App should prefer showing Other User panel to user.
<!-- PreferLogonAsOtherUser-Description-End -->
<!-- PreferLogonAsOtherUser-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- PreferLogonAsOtherUser-Editable-End -->
<!-- PreferLogonAsOtherUser-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- PreferLogonAsOtherUser-DFProperties-End -->
<!-- PreferLogonAsOtherUser-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- PreferLogonAsOtherUser-AllowedValues-End -->
<!-- PreferLogonAsOtherUser-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- PreferLogonAsOtherUser-Examples-End -->
<!-- PreferLogonAsOtherUser-End -->
<!-- RequireStartIconHold-Begin -->
## RequireStartIconHold
<!-- RequireStartIconHold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- RequireStartIconHold-Applicability-End -->
<!-- RequireStartIconHold-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/RequireStartIconHold
```
<!-- RequireStartIconHold-OmaUri-End -->
<!-- RequireStartIconHold-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if it's require that the Start icon to be pressed for 2 seconds to open the Start menu.
<!-- RequireStartIconHold-Description-End -->
<!-- RequireStartIconHold-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequireStartIconHold-Editable-End -->
<!-- RequireStartIconHold-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RequireStartIconHold-DFProperties-End -->
<!-- RequireStartIconHold-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Don't require the Start icon to be pressed for 2 seconds. |
| 1 | Require the Start icon to be pressed for 2 seconds. |
<!-- RequireStartIconHold-AllowedValues-End -->
<!-- RequireStartIconHold-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequireStartIconHold-Examples-End -->
<!-- RequireStartIconHold-End -->
<!-- RequireStartIconVisible-Begin -->
## RequireStartIconVisible
<!-- RequireStartIconVisible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- RequireStartIconVisible-Applicability-End -->
<!-- RequireStartIconVisible-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/RequireStartIconVisible
```
<!-- RequireStartIconVisible-OmaUri-End -->
<!-- RequireStartIconVisible-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if it's required that the Start icon to be looked at when you tap it to open the Start menu.
<!-- RequireStartIconVisible-Description-End -->
<!-- RequireStartIconVisible-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequireStartIconVisible-Editable-End -->
<!-- RequireStartIconVisible-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RequireStartIconVisible-DFProperties-End -->
<!-- RequireStartIconVisible-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Don't require the Start icon to be looked at when you tap it. |
| 1 | Require the Start icon to be looked at when you tap it. |
<!-- RequireStartIconVisible-AllowedValues-End -->
<!-- RequireStartIconVisible-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequireStartIconVisible-Examples-End -->
<!-- RequireStartIconVisible-End -->
<!-- SkipCalibrationDuringSetup-Begin -->
## SkipCalibrationDuringSetup

4
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -4,7 +4,7 @@ description: Learn more about the NetworkListManager Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -37,7 +37,7 @@ ms.topic: reference
<!-- AllowedTlsAuthenticationEndpoints-Description-Begin -->
<!-- Description-Source-DDF -->
List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
List of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
<!-- AllowedTlsAuthenticationEndpoints-Description-End -->
<!-- AllowedTlsAuthenticationEndpoints-Editable-Begin -->

12
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Privacy-Begin -->
# Policy CSP - Privacy
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Privacy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Privacy-Editable-End -->
@ -2934,7 +2936,7 @@ If an app is open when this Group Policy object is applied on a device, employee
<!-- LetAppsAccessHumanPresence-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence-Applicability-End -->
<!-- LetAppsAccessHumanPresence-OmaUri-Begin -->
@ -2994,7 +2996,7 @@ This policy setting specifies whether Windows apps can access the human presence
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-OmaUri-Begin -->
@ -3044,7 +3046,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-OmaUri-Begin -->
@ -3094,7 +3096,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-search.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1123,7 +1123,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
<!-- SafeSearchPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- SafeSearchPermissions-Applicability-End -->
<!-- SafeSearchPermissions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-security.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Security Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -78,7 +78,7 @@ Specifies whether to allow the runtime configuration agent to install provisioni
<!-- AllowManualRootCertificateInstallation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowManualRootCertificateInstallation-Applicability-End -->
<!-- AllowManualRootCertificateInstallation-OmaUri-Begin -->
@ -179,7 +179,7 @@ Specifies whether to allow the runtime configuration agent to remove provisionin
<!-- AntiTheftMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AntiTheftMode-Applicability-End -->
<!-- AntiTheftMode-OmaUri-Begin -->

2
windows/client-management/mdm/policy-csp-start.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage

4
windows/client-management/mdm/policy-csp-timelanguagesettings.md
View File

@ -4,7 +4,7 @@ description: Learn more about the TimeLanguageSettings Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -29,7 +29,7 @@ ms.topic: reference
<!-- AllowSet24HourClock-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
<!-- AllowSet24HourClock-Applicability-End -->
<!-- AllowSet24HourClock-OmaUri-Begin -->

396
windows/client-management/mdm/policy-csp-update.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -25,6 +25,7 @@ ms.topic: reference
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- [AllowOptionalContent](#allowoptionalcontent)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
@ -106,6 +107,65 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview
<!-- AllowOptionalContent-Begin -->
### AllowOptionalContent
<!-- AllowOptionalContent-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- AllowOptionalContent-Applicability-End -->
<!-- AllowOptionalContent-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
```
<!-- AllowOptionalContent-OmaUri-End -->
<!-- AllowOptionalContent-Description-Begin -->
<!-- Description-Source-DDF -->
This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
<!-- AllowOptionalContent-Description-End -->
<!-- AllowOptionalContent-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowOptionalContent-Editable-End -->
<!-- AllowOptionalContent-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowOptionalContent-DFProperties-End -->
<!-- AllowOptionalContent-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Device doesn't receive optional updates. |
| 1 | Device receives optional updates and user can install from WU Settings page. |
| 2 | Device receives optional updates and install them as soon as they're available. |
<!-- AllowOptionalContent-AllowedValues-End -->
<!-- AllowOptionalContent-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowOptionalContent |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
<!-- AllowOptionalContent-GpMapping-End -->
<!-- AllowOptionalContent-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowOptionalContent-Examples-End -->
<!-- AllowOptionalContent-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
@ -393,6 +453,7 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you
| 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). |
| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). |
| 64 | {0x40} - Release Preview of Quality Updates Only. |
| 128 | {0x80} - Canary Channel. |
<!-- BranchReadinessLevel-AllowedValues-End -->
<!-- BranchReadinessLevel-GpMapping-Begin -->
@ -2079,41 +2140,8 @@ Note that the default max active hours range is 18 hours from the active hours s
<!-- AllowAutoUpdate-OmaUri-End -->
<!-- AllowAutoUpdate-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Important. This option should be used only for systems under regulatory compliance, as you won't get security updates as well. If the policy isn't configured, end-users get the default behavior (Auto install and restart).
<!-- AllowAutoUpdate-Description-End -->
<!-- AllowAutoUpdate-Editable-Begin -->
@ -2245,41 +2273,8 @@ This policy is accessible through the Update setting in the user interface or Gr
<!-- AllowMUUpdateService-OmaUri-End -->
<!-- AllowMUUpdateService-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
<!-- AllowMUUpdateService-Description-End -->
<!-- AllowMUUpdateService-Editable-Begin -->
@ -2824,41 +2819,8 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
<!-- ScheduledInstallDay-OmaUri-End -->
<!-- ScheduledInstallDay-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the day of the update installation. The data type is a integer.
<!-- ScheduledInstallDay-Description-End -->
<!-- ScheduledInstallDay-Editable-Begin -->
@ -2928,41 +2890,8 @@ If the status is set to Not Configured, use of Automatic Updates isn't specified
<!-- ScheduledInstallEveryWeek-OmaUri-End -->
<!-- ScheduledInstallEveryWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the every week. Value type is integer.
<!-- ScheduledInstallEveryWeek-Description-End -->
<!-- ScheduledInstallEveryWeek-Editable-Begin -->
@ -3026,41 +2955,8 @@ If the status is set to Not Configured, use of Automatic Updates isn't specified
<!-- ScheduledInstallFirstWeek-OmaUri-End -->
<!-- ScheduledInstallFirstWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer.
<!-- ScheduledInstallFirstWeek-Description-End -->
<!-- ScheduledInstallFirstWeek-Editable-Begin -->
@ -3133,41 +3029,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallFourthWeek-OmaUri-End -->
<!-- ScheduledInstallFourthWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer.
<!-- ScheduledInstallFourthWeek-Description-End -->
<!-- ScheduledInstallFourthWeek-Editable-Begin -->
@ -3240,41 +3103,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallSecondWeek-OmaUri-End -->
<!-- ScheduledInstallSecondWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer.
<!-- ScheduledInstallSecondWeek-Description-End -->
<!-- ScheduledInstallSecondWeek-Editable-Begin -->
@ -3347,41 +3177,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallThirdWeek-OmaUri-End -->
<!-- ScheduledInstallThirdWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer.
<!-- ScheduledInstallThirdWeek-Description-End -->
<!-- ScheduledInstallThirdWeek-Editable-Begin -->
@ -3454,41 +3251,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallTime-OmaUri-End -->
<!-- ScheduledInstallTime-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
<!-- ScheduledInstallTime-Description-End -->
<!-- ScheduledInstallTime-Editable-Begin -->

10
windows/client-management/mdm/vpnv2-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/06/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- Device-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- Device-{ProfileName}-EdpModeId-Description-End -->
<!-- Device-{ProfileName}-EdpModeId-Editable-Begin -->
@ -3119,7 +3119,7 @@ Type of routing policy.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- Device-{ProfileName}-NativeProfile-Servers-Editable-Begin -->
@ -6032,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- User-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- User-{ProfileName}-EdpModeId-Description-End -->
<!-- User-{ProfileName}-EdpModeId-Editable-Begin -->
@ -7359,7 +7359,7 @@ Type of routing policy.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- User-{ProfileName}-NativeProfile-Servers-Editable-Begin -->

26
windows/client-management/mdm/windowslicensing-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- WindowsLicensing-Begin -->
# WindowsLicensing CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsLicensing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The WindowsLicensing configuration service provider is designed for licensing related management scenarios.
@ -161,7 +163,7 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi
<!-- Device-DeviceLicensingService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-Applicability-End -->
<!-- Device-DeviceLicensingService-OmaUri-Begin -->
@ -200,7 +202,7 @@ Device Based Subscription.
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-OmaUri-Begin -->
@ -239,7 +241,7 @@ Returns the last error code of Refresh/Remove Device License operation. Value wo
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-OmaUri-Begin -->
@ -278,7 +280,7 @@ Returns last error description from Device Licensing. Value would be empty, if e
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-OmaUri-Begin -->
@ -317,7 +319,7 @@ Returns the status of Refresh/Remove Device License operation.
<!-- Device-DeviceLicensingService-LicenseType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-LicenseType-Applicability-End -->
<!-- Device-DeviceLicensingService-LicenseType-OmaUri-Begin -->
@ -997,7 +999,7 @@ Returns the status of the subscription.
<!-- Device-Subscriptions-DisableSubscription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-DisableSubscription-Applicability-End -->
<!-- Device-Subscriptions-DisableSubscription-OmaUri-Begin -->
@ -1045,7 +1047,7 @@ Disable or Enable subscription activation on a device.
<!-- Device-Subscriptions-RemoveSubscription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-RemoveSubscription-Applicability-End -->
<!-- Device-Subscriptions-RemoveSubscription-OmaUri-Begin -->
@ -1084,7 +1086,7 @@ Remove subscription uninstall subscription license. It also reset subscription t
<!-- Device-Subscriptions-SubscriptionLastError-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionLastError-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionLastError-OmaUri-Begin -->
@ -1123,7 +1125,7 @@ Error code of last subscription operation. Value would be empty(0) in absence of
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-OmaUri-Begin -->
@ -1162,7 +1164,7 @@ Error description of last subscription operation. Value would be empty, if error
<!-- Device-Subscriptions-SubscriptionStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionStatus-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionStatus-OmaUri-Begin -->
@ -1201,7 +1203,7 @@ Status of last subscription operation.
<!-- Device-Subscriptions-SubscriptionType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionType-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionType-OmaUri-Begin -->

28
windows/client-management/mdm/windowslicensing-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -342,6 +342,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
@ -373,6 +377,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
@ -394,6 +402,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
@ -415,6 +427,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
@ -436,6 +452,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
@ -467,6 +487,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
</Node>
@ -600,7 +624,7 @@ The following XML file contains the device description framework (DDF) for the W
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.22621, 10.0.22000.1165</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>