diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1fc2ec8e56..00a95b4582 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18956,10 +18956,10 @@ "redirect_document_id": false }, { - "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "source_path": "windows/security/identity-protection/change-history-for-access-protection.md", + "redirect_url": "/windows/security/", "redirect_document_id": false - }, + } ] diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index f66a07d2e4..0000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "cSpell.words": [ - "emie" - ] -} \ No newline at end of file diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 0897f1666a..93d1598529 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -167,6 +167,15 @@ ms.date: 10/08/2020 - [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) +- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy) +- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy) +- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy) +- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia) +- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable) +- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce) +- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit) +- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold) +- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit) - [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode) - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) - [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname) @@ -404,6 +413,9 @@ ms.date: 10/08/2020 - [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) - [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) - [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) +- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins) +- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname) +- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) @@ -841,6 +853,14 @@ ms.date: 10/08/2020 - [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) - [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) - [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) +- [ADMX_PreviousVersions/DisableLocalPage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_1) +- [ADMX_PreviousVersions/DisableLocalPage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_2) +- [ADMX_PreviousVersions/DisableRemotePage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_1) +- [ADMX_PreviousVersions/DisableRemotePage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_2) +- [ADMX_PreviousVersions/HideBackupEntries_1](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_1) +- [ADMX_PreviousVersions/HideBackupEntries_2](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_2) +- [ADMX_PreviousVersions/DisableLocalRestore_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_1) +- [ADMX_PreviousVersions/DisableLocalRestore_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_2) - [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting) - [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation) - [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl) @@ -941,12 +961,17 @@ ms.date: 10/08/2020 - [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected) - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) +- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy) - [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) - [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) - [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) - [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) +- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page) +- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate) +- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks) +- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) - [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) - [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) @@ -1052,6 +1077,8 @@ ms.date: 10/08/2020 - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) - [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig) +- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1) +- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1) - [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) - [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) - [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) @@ -1087,9 +1114,15 @@ ms.date: 10/08/2020 - [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name) - [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state) - [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method) - [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) - [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) - [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) +- [ADMX_TouchInput/TouchInputOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_1) +- [ADMX_TouchInput/TouchInputOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_2) +- [ADMX_TouchInput/PanningEverywhereOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_1) +- [ADMX_TouchInput/PanningEverywhereOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_2) - [ADMX_TPM/BlockedCommandsList_Name](./policy-csp-admx-tpm.md#admx-tpm-blockedcommandslist-name) - [ADMX_TPM/ClearTPMIfNotReady_Name](./policy-csp-admx-tpm.md#admx-tpm-cleartpmifnotready-name) - [ADMX_TPM/IgnoreDefaultList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignoredefaultlist-name) @@ -1241,9 +1274,13 @@ ms.date: 10/08/2020 - [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement) - [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect) - [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections) +- [ADMX_WDI/WdiDpsScenarioExecutionPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenarioexecutionpolicy) +- [ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenariodatasizelimitpolicy) - [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1) - [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2) - [ADMX_WindowsAnytimeUpgrade/Disabled](./policy-csp-admx-windowsanytimeupgrade.md#admx-windowsanytimeupgrade-disabled) +- [ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1](./policy-csp-admx-windowscolorsystem.md#admx-windowscolorsystem-prohibitchanginginstalledprofilelist_1] +- [ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2](./policy-csp-admx-windowscolorsystem.md#admx-windowscolorsystem-prohibitchanginginstalledprofilelist_2] - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1) - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2) - [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a4847a452f..b4bd9c3452 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -747,6 +747,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### ADMX_DiskNVCache policies + +
+
+ ADMX_DiskNVCache/BootResumePolicy +
+
+ ADMX_DiskNVCache/FeatureOffPolicy +
+
+ ADMX_DiskNVCache/SolidStatePolicy +
+
+ +### ADMX_DiskQuota policies + +
+
+ ADMX_DiskQuota/DQ_RemovableMedia +
+
+ ADMX_DiskQuota/DQ_Enable +
+
+ ADMX_DiskQuota/DQ_Enforce +
+
+ ADMX_DiskQuota/DQ_LogEventOverLimit +
+
+ ADMX_DiskQuota/DQ_LogEventOverThreshold +
+
+ ADMX_DiskQuota/DQ_Limit +
+
+ ### ADMX_DistributedLinkTracking policies
@@ -1578,6 +1615,26 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_iSCSI policies + +
+
+ ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +
+
+ ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +
+
+ ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +
+
+ ### ADMX_kdc policies
@@ -3000,6 +3057,35 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_PreviousVersions policies + +
+
+ ADMX_PreviousVersions/DisableLocalPage_1 +
+
+ ADMX_PreviousVersions/DisableLocalPage_2 +
+
+ ADMX_PreviousVersions/DisableRemotePage_1 +
+
+ ADMX_PreviousVersions/DisableRemotePage_2 +
+
+ ADMX_PreviousVersions/HideBackupEntries_1 +
+
+ ADMX_PreviousVersions/HideBackupEntries_2 +
+
+ ADMX_PreviousVersions/DisableLocalRestore_1 +
+
+ ADMX_PreviousVersions/DisableLocalRestore_2 +
+
+ ### ADMX_Printing policies
@@ -3329,6 +3415,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_sdiagschd policies + +
+
+ ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +
+
+ ### ADMX_sdiageng policies
@@ -3371,6 +3465,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_ServerManager policies + +
+
+ ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +
+
+ ADMX_ServerManager/ServerManagerAutoRefreshRate +
+
+ ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +
+
+ ADMX_ServerManager/DoNotLaunchServerManager +
+
+ ### ADMX_Servicing policies
@@ -3521,6 +3632,8 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_Snmp/SNMP_Traps_Public
+ +
### ADMX_StartMenu policies @@ -3736,6 +3849,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TabletShell policies + +
+
+ ADMX_TabletShell/DisableInkball_1 +
+
+ ADMX_TabletShell/DisableNoteWriterPrinting_1 +
+
+ ### ADMX_Taskbar policies
@@ -3851,6 +3975,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TerminalServer policies + +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
+
+ ### ADMX_Thumbnails policies
@@ -3865,6 +4000,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TouchInput policies + +
+
+ ADMX_TouchInput/TouchInputOff_1 +
+
+ ADMX_TouchInput/TouchInputOff_2 +
+
+ ADMX_TouchInput/PanningEverywhereOff_1 +
+
+ ADMX_TouchInput/PanningEverywhereOff_2 +
+
+ ### ADMX_TPM policies
@@ -4343,6 +4495,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_WDI Policies + +
+
+ ADMX_WDI/WdiDpsScenarioExecutionPolicy +
+
+ ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy +
+
+ ### ADMX_WinCal policies
@@ -4362,6 +4525,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_WindowsColorSystem policies + +
+
+ ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 +
+
+ ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 +
+
+ ### ADMX_WindowsConnectNow policies
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 23c1bb8142..c3d8c37963 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -40,29 +40,30 @@ manager: dansimp - - + + + - + + - - - - - + + - + + - - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1
YesYes
@@ -83,7 +84,7 @@ Added in Windows 10, version 1607. Specifies whether or not the user can intera ADMX Info: -- GP English name: *Allow Cortana above lock screen* +- GP Friendly name: *Allow Cortana above lock screen* - GP name: *AllowCortanaAboveLock* - GP path: *Windows Components/Search* - GP ADMX file name: *Search.admx* @@ -106,29 +107,25 @@ The following list shows the supported values: - - + + + - + - - - - - + - + - - +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark
Businesscheck markYes, starting in Windows 10, version 1607Yes
Enterprisecheck markYes, starting in Windows 10, version 1607Yes
Educationcheck mark
Yes, starting in Windows 10, version 1607Yes
@@ -159,16 +156,5 @@ The following list shows the supported values:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 644ff6136e..ed466fe64a 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -42,36 +42,39 @@ manager: dansimp - - + + + - + + - - - - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
Mobilecheck markYesYes
Mobile Enterprisecheck markYesYes
@@ -113,36 +116,44 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
Mobilecheck markYesYes
Mobile Enterprisecheck markYesYes
@@ -181,36 +192,44 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
Mobilecheck mark2YesYes
Mobile Enterprisecheck mark2YesYes
@@ -246,15 +265,6 @@ The following list shows the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 0ed2ddc357..95c9e7d80b 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - ActiveXControls +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,29 +42,28 @@ manager: dansimp - - + + + - + - - - - - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck mark
YesYes
@@ -83,12 +88,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt Note: Wild card characters cannot be used when specifying the host URLs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -101,16 +100,6 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 67982daf0e..c574952e31 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -13,8 +13,14 @@ manager: dansimp --- # Policy CSP - ADMX_ActiveXInstallService -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -36,29 +42,28 @@ manager: dansimp - - - + + + - + + - - - - - + + - + + - - + +
Windows EditionSupported?
EditionWindows 10Windows 11
Homecross markNoNo
Procross mark
Businesscross markYesYes
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -74,7 +79,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone. +This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. @@ -86,12 +91,6 @@ If the trusted site uses the HTTPS protocol, this policy setting can also contro > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -104,8 +103,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 0c7c4b543b..dfb1da857f 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -14,8 +14,13 @@ manager: dansimp # Policy CSP - ADMX_AddRemovePrograms -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -67,28 +72,16 @@ manager: dansimp - - + + + - + + - - - - - - - - - - - - - - - +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
@@ -106,7 +99,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. +The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. @@ -116,12 +109,6 @@ If you disable this setting or do not configure it, all programs (Category: All) > This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -150,28 +137,30 @@ ADMX Info: - - + + + - + + - + + - - + + -
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
Enterprisecheck markYesYes
Educationcross mark
@@ -189,7 +178,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. +This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. @@ -197,12 +186,6 @@ If you disable this setting or do not configure it, the "Add a program from CD-R > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -231,28 +214,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -270,7 +259,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. +This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. @@ -278,12 +267,7 @@ If you disable this setting or do not configure it, "Add programs from Microsoft > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -312,28 +296,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -351,7 +341,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. +This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. @@ -361,12 +351,7 @@ If you disable this setting or do not configure it, "Add programs from your netw > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -394,28 +379,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -433,17 +424,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. +This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -472,28 +458,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -511,21 +503,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. +This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Remove Add or Remove Programs* +- GP Friendly name: *Remove Add or Remove Programs* - GP name: *NoAddRemovePrograms* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -550,28 +537,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -589,22 +582,17 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide the Set Program Access and Defaults page* +- GP Friendly name: *Hide the Set Program Access and Defaults page* - GP name: *NoChooseProgramsPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -629,29 +617,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -668,21 +661,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. +This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide Change or Remove Programs page* +- GP Friendly name: *Hide Change or Remove Programs page* - GP name: *NoRemovePage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -707,28 +695,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -746,7 +740,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. +This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. @@ -754,16 +748,11 @@ If you disable this setting or do not configure it, "Set up services" appears on > When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Go directly to Components Wizard* +- GP Friendly name: *Go directly to Components Wizard* - GP name: *NoServices* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -788,28 +777,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -827,7 +822,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. +This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. If you disable this setting or do not configure it, the Support Info hyperlink appears. @@ -835,16 +830,10 @@ If you disable this setting or do not configure it, the Support Info hyperlink a > Not all programs provide a support information hyperlink. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: -- GP English name: *Remove Support Information* +- GP Friendly name: *Remove Support Information* - GP name: *NoSupportInfo* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -869,28 +858,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -908,21 +903,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. +This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide Add/Remove Windows Components page* +- GP Friendly name: *Hide Add/Remove Windows Components page* - GP name: *NoWindowsSetupPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -939,8 +929,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index e145a37e11..110c13b38f 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_AppCompat -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -70,28 +74,32 @@ manager: dansimp - - + - + + - + + - + + - + + - + +
Windows EditionSupported?Edition
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -108,7 +116,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. +This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. @@ -122,12 +130,6 @@ If the status is set to Not Configured, the OS falls back on a local policy set > This setting appears only in Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -147,28 +149,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -185,7 +193,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. +This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. @@ -193,12 +201,6 @@ Enabling this policy setting removes the property page from the context-menus, b -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -218,28 +220,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -256,7 +264,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Application Telemetry engine in the system. +The policy setting controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. @@ -268,12 +276,6 @@ Disabling telemetry will take effect on any newly launched applications. To ensu -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -293,28 +295,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -331,7 +339,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Switchback compatibility engine in the system. +The policy setting controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. @@ -344,12 +352,6 @@ If you disable or do not configure this policy setting, the Switchback will be t Reboot the system after changing the setting to ensure that your system accurately reflects those changes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -369,29 +371,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -407,7 +414,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the application compatibility engine in the system. +This policy setting controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. @@ -422,12 +429,6 @@ This option is useful to server administrators who require faster performance an -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -447,28 +448,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -485,16 +492,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. +This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -514,28 +515,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -552,7 +559,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. @@ -563,12 +570,6 @@ If you disable or do not configure this policy setting, the PCA will be turned o -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -588,28 +589,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -626,7 +633,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of Steps Recorder. +This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. @@ -636,12 +643,6 @@ If you disable or do not configure this policy setting, Steps Recorder will be e -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -661,28 +662,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -699,7 +706,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Inventory Collector. +This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. @@ -712,12 +719,6 @@ If you disable or do not configure this policy setting, the Inventory Collector -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -729,8 +730,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index f3aef0211f..4e924cb2a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AppxPackageManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + + > [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. +This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off: @@ -88,12 +99,7 @@ If you enable this policy setting, Group Policy allows deployment operations (ad If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -106,7 +112,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index c30dafd023..74860dbb38 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AppXRuntime -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,29 +50,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -83,19 +93,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. +This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,28 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,19 +164,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. +This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -184,28 +189,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -222,7 +233,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. +This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. @@ -232,12 +243,6 @@ If you disable or do not configure this policy setting, all Universal Windows ap > This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -256,28 +261,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -295,7 +306,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. +This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. @@ -305,12 +316,6 @@ If you disable or do not configure this policy setting, Windows Store apps can o > Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -323,8 +328,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index 7a82136079..9ddc5dc7bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AttachmentManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -48,28 +53,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -86,7 +97,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. +This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. @@ -99,12 +110,6 @@ If you disable this policy setting, Windows uses its default trust logic, which If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -123,28 +128,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -161,7 +171,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. +This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. @@ -176,12 +186,6 @@ If you disable this policy setting, Windows sets the default risk level to moder If you do not configure this policy setting, Windows sets the default risk level to moderate. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -200,28 +204,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -238,7 +248,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can create a custom list of high-risk file types. @@ -247,12 +257,6 @@ If you disable this policy setting, Windows uses its built-in list of file types If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -271,28 +275,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -309,7 +319,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types that pose a low risk. @@ -318,12 +328,6 @@ If you disable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Windows uses its default trust logic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -342,28 +346,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -380,7 +390,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types which pose a moderate risk. @@ -389,12 +399,6 @@ If you disable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Windows uses its default trust logic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -407,7 +411,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 56d9939332..5e4ce66ca3 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -12,9 +12,14 @@ ms.reviewer: manager: dansimp --- -# Policy CSP - ADMX_AuditSettings -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +# Policy CSP - ADMX_AuditSettings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. +This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. @@ -86,12 +97,6 @@ Default is Not configured. > When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -104,8 +109,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 9a5fd957e7..db5b7fc71f 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Bits -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -75,28 +80,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -113,7 +124,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. +This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. If you enable this policy setting, the BITS client does not use Windows Branch Cache. @@ -121,14 +132,8 @@ If you disable or do not configure this policy setting, the BITS client uses Win > [!NOTE] > This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. - + -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -147,28 +152,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -185,7 +196,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). +This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. @@ -195,12 +206,7 @@ If you disable or do not configure this policy setting, the computer attempts to > This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -219,28 +225,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -257,7 +269,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). +This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. @@ -267,12 +279,7 @@ If you disable or do not configure this policy setting, the computer will offer > This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -292,28 +299,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -330,7 +343,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. +This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. @@ -339,12 +352,7 @@ If you enable this policy setting, BITS downloads files from peers, caches the f If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -364,28 +372,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -402,7 +416,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). +This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. @@ -416,12 +430,6 @@ If you disable this policy setting or do not configure it, the default value of > This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -440,28 +448,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -478,7 +492,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. @@ -490,12 +504,6 @@ If you disable or do not configure this policy setting, the limits defined for w > The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -515,28 +523,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -553,7 +567,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. @@ -562,12 +576,6 @@ You can specify a limit to use for background jobs during a work schedule. For e If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -587,28 +595,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -625,7 +639,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. +This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. @@ -635,12 +649,6 @@ If you disable or do not configure this policy setting, the default size of the > This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -659,28 +667,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -707,12 +721,6 @@ If you disable or do not configure this policy setting, files that have not been > This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -731,28 +739,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -769,7 +783,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. +This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. @@ -780,12 +794,7 @@ If you enable this policy setting, you can set the maximum job download time to If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -804,28 +813,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -842,7 +857,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. +This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. @@ -852,12 +867,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > BITS Jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -876,28 +886,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -914,7 +930,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. +This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. @@ -924,12 +940,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > BITS jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -948,28 +959,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -986,7 +1003,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. +This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. @@ -996,12 +1013,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1020,28 +1032,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1058,7 +1076,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. +This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. @@ -1068,12 +1086,7 @@ If you disable or do not configure this policy setting, BITS will limit ranges t > BITS Jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1086,8 +1099,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 44e91fe2e9..514efdce81 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_CipherSuiteOrder -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -40,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -78,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). +This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). If you enable this policy setting, SSL cipher suites are prioritized in the order specified. @@ -87,12 +97,7 @@ If you disable or do not configure this policy setting, default cipher suite ord For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,28 +118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -151,7 +162,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. +This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. @@ -170,12 +181,6 @@ CertUtil.exe -DisplayEccCurve ``` -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,7 +193,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 13d4fabf45..abac5580d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_COM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -40,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -78,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -89,12 +99,7 @@ If you disable or do not configure this policy setting, the program continues wi This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +120,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,7 +164,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -164,12 +175,6 @@ If you disable or do not configure this policy setting, the program continues wi This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -182,7 +187,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 9dec30ad01..bdd6e7f313 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_ControlPanel -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +50,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -83,7 +94,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. @@ -98,12 +109,7 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -122,28 +128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -160,7 +172,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons. +This policy setting controls the default Control Panel view, whether by category or icons. If this policy setting is enabled, the Control Panel opens to the icon view. @@ -172,12 +184,7 @@ If this policy setting is not configured, the Control Panel opens to the view us > Icon size is dependent upon what the user has set it to in the previous session. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,28 +203,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -253,12 +266,7 @@ This setting removes PC settings from: If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -277,28 +285,38 @@ ADMX Info: - - + + + - + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -315,7 +333,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. @@ -330,12 +348,6 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -348,7 +360,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index f1f3907cbe..d86682733e 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_ControlPanelDisplay -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -105,28 +110,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -143,19 +154,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel. +Disables the Display Control Panel. If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -174,28 +180,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -212,17 +229,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel. +Removes the Settings tab from Display in Control Panel. This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -241,28 +253,40 @@ ADMX Info: - - + + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -279,7 +303,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme. +This setting forces the theme color scheme to be the default color scheme. If you enable this setting, a user cannot change the color scheme of the current desktop theme. @@ -288,12 +312,6 @@ If you disable or do not configure this setting, a user may change the color sch For Windows 7 and later, use the "Prevent changing color and appearance" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -312,28 +330,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -350,7 +379,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel. +This setting disables the theme gallery in the Personalization Control Panel. If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). @@ -360,12 +389,6 @@ If you disable or do not configure this setting, there is no effect. > If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -384,28 +407,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -422,19 +456,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. +Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -453,28 +481,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -491,7 +530,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers. +Enables desktop screen savers. If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. @@ -502,12 +541,6 @@ If you enable it, a screen saver runs, provided the following two conditions hol Also, see the "Prevent changing Screen Saver" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -526,28 +559,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -564,7 +608,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. +This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). @@ -575,12 +619,7 @@ This can be used in conjunction with the "Prevent changing lock screen and logon Note: This setting only applies to Enterprise, Education, and Server SKUs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -599,28 +638,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -637,19 +687,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. +Prevents users from changing the size of the font in the windows and buttons displayed on their screens. If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -668,28 +712,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -706,19 +761,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen. +Prevents users from changing the background image shown when the machine is locked or when on the logon screen. By default, users can change the background image shown when the machine is locked or displaying the logon screen. If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -737,28 +786,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -775,7 +835,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent. +Prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. @@ -786,12 +846,6 @@ If the "Force a specific background and accent color" policy is also set on a su If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -810,28 +864,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -848,7 +913,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. +Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. @@ -857,12 +922,6 @@ If this setting is disabled or not configured, the Color (or Window Color) page For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -881,28 +940,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -919,7 +989,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop. +Prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. @@ -932,12 +1002,6 @@ Note: You must also enable the "Desktop Wallpaper" setting to prevent users from Also, see the "Allow only bitmapped wallpaper" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -956,28 +1020,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -994,7 +1069,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons. +Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. @@ -1003,12 +1078,6 @@ If you enable this setting, none of the desktop icons can be changed by the user For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1027,28 +1096,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1072,12 +1152,6 @@ If you enable this policy setting, users that are not required to press CTRL + A If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1096,28 +1170,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1141,12 +1226,6 @@ By default, users can use the Pointers tab in the Mouse Control Panel to add, re If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1165,28 +1244,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1203,17 +1293,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. +Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1232,28 +1316,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1270,19 +1365,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme. +Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. If you enable this setting, none of the Sound Scheme settings can be changed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1301,28 +1390,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1339,19 +1439,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. +Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1370,28 +1464,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1408,7 +1513,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected. +Determines whether screen savers used on the computer are password protected. If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. @@ -1422,12 +1527,6 @@ To ensure that a computer will be password protected, enable the "Enable Screen > To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1446,8 +1545,9 @@ ADMX Info: - - + + + @@ -1455,19 +1555,27 @@ ADMX Info: - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Home
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1484,7 +1592,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched. +Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. @@ -1501,12 +1609,6 @@ This setting has no effect under any of the following circumstances: When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1525,28 +1627,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1563,7 +1676,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop. +Specifies the screen saver for the user's desktop. If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. @@ -1577,12 +1690,6 @@ If the specified screen saver is not installed on a computer to which this setti > This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1601,28 +1708,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1646,12 +1764,6 @@ If you enable this setting, the theme that you specify will be applied when a ne If you disable or do not configure this setting, the default theme will be applied at the first logon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1670,28 +1782,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1708,7 +1831,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. +This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). @@ -1724,12 +1847,6 @@ If you disable or do not configure this setting, the users can select the visual > To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1748,28 +1865,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1786,19 +1914,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. +Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it. If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1811,7 +1933,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 6ad7cad008..71ba7fb9c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Cpls -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +90,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. +This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. > [!NOTE] > The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. @@ -84,12 +100,7 @@ If you enable this policy setting, the default user account picture will display If you disable or do not configure this policy setting, users will be able to customize their account pictures. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -102,8 +113,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index b7ed4ab54a..92d2b7cfc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredentialProviders -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,28 +47,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -80,7 +96,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. +This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. @@ -91,12 +107,7 @@ If you don't configure this policy setting on a domain-joined device, a user can If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +126,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider. +This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selected on other user tile. @@ -163,12 +185,6 @@ If you disable or do not configure this policy setting, the system picks the def > A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,28 +204,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -226,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication. +This policy setting allows the administrator to exclude the specified credential providers from use during authentication. > [!NOTE] > Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). @@ -236,12 +263,6 @@ If you enable this policy, an administrator can specify the CLSIDs of the creden If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -254,9 +275,5 @@ ADMX Info:
-> [!NOTE] -> These policies are for upcoming release. - - -These policies are currently only available as part of a Windows Insider release. \ No newline at end of file + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 04bbf46ba4..2c66db1203 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredSsp -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -66,28 +71,38 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -104,7 +119,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -122,12 +137,7 @@ If you disable or do not configure (by default) this policy setting, delegation > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -146,28 +156,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -184,7 +205,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. @@ -207,12 +228,6 @@ https://go.microsoft.com/fwlink/?LinkId=301508 > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -231,28 +246,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -269,7 +295,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. @@ -287,12 +313,6 @@ If you enable this policy setting, CredSSP version support will be selected base For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -311,28 +331,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -349,7 +380,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. @@ -369,12 +400,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -393,28 +418,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -431,7 +467,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -451,12 +487,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -475,28 +505,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -513,7 +554,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. @@ -533,12 +574,6 @@ If you disable this policy setting, delegation of saved credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -557,28 +592,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -595,7 +641,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -615,12 +661,6 @@ If you disable this policy setting, delegation of saved credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -639,28 +679,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -677,7 +728,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). @@ -695,12 +746,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -719,28 +764,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -757,7 +813,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). @@ -775,12 +831,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -799,28 +849,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -837,7 +898,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). @@ -855,12 +916,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -879,28 +934,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -917,7 +983,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. +When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client @@ -936,12 +1002,6 @@ If you disable or do not configure this policy setting, Restricted Admin and Rem > On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -954,8 +1014,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index acb7942b92..b6e48f936c 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredUI -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +44,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -77,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. +This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. > [!NOTE] > This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. @@ -87,12 +103,6 @@ If you enable this policy setting, users will be required to enter Windows crede If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -111,28 +121,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -152,12 +173,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -168,10 +184,6 @@ ADMX Info: -
- -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - +< diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index b42e1e9ad0..0098e79df8 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CtrlAltDel -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +50,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -83,19 +99,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their Windows password on demand. +This policy setting prevents users from changing their Windows password on demand. If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +126,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from locking the system. +This policy setting prevents users from locking the system. While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. @@ -165,12 +187,6 @@ If you disable or do not configure this policy setting, users will be able to lo > To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,28 +204,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -226,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from starting Task Manager. +This policy setting prevents users from starting Task Manager. Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. @@ -235,12 +262,6 @@ If you enable this policy setting, users will not be able to access Task Manager If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -259,28 +280,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -297,7 +329,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables or removes all menu items and buttons that log the user off the system. +This policy setting disables or removes all menu items and buttons that log the user off the system. If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. @@ -306,12 +338,6 @@ Also, see the 'Remove Logoff on the Start Menu' policy setting. If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -324,8 +350,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index c2de3fdc86..3955a74bc1 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_DataCollection -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_DataCollection policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_DataCollection/CommercialIdPolicy @@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,19 +85,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. +This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 4baa5a5da4..575e15bf06 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Desktop -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -120,28 +125,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -158,7 +169,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. +Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. @@ -167,12 +178,7 @@ If you disable this setting or do not configure it, the filter bar does not appe To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -191,28 +197,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -229,7 +241,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations. +Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. @@ -240,12 +252,7 @@ If you disable this setting or do not configure it, the Active Directory folder This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,28 +271,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -302,7 +315,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. +Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. @@ -311,12 +324,7 @@ If you disable this setting or do not configure it, the system displays up to 10 This setting is designed to protect the network and the domain controller from the effect of expansive searches. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -335,28 +343,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -373,7 +387,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it. +Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. @@ -383,12 +397,6 @@ If you disable this setting or do not configure it, Active Desktop is disabled b > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -407,28 +415,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -445,7 +459,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it. +Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. @@ -455,12 +469,7 @@ If you disable this setting or do not configure it, Active Desktop is disabled b > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -479,28 +488,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markYesYes
@@ -517,17 +531,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. +Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -546,28 +554,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -584,19 +598,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. +Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -615,28 +624,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -653,7 +668,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard. +Prevents users from using the Desktop Cleanup Wizard. If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. @@ -663,12 +678,7 @@ If you disable this setting or do not configure it, the default behavior of the > When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -687,28 +697,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -725,17 +741,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. +Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. This setting does not prevent the user from starting Internet Explorer by using other methods. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -754,28 +765,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -792,7 +809,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. +This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. @@ -804,12 +821,7 @@ If you do not configure this setting, the default is to display Computer as usua > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -828,29 +840,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -866,7 +883,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon. +Removes most occurrences of the My Documents icon. This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. @@ -878,12 +895,6 @@ This setting does not remove the My Documents icon from the Start menu. To do so > To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -902,28 +913,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -940,7 +957,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop. +Removes the Network Locations icon from the desktop. This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. @@ -948,12 +965,7 @@ This setting only affects the desktop icon. It does not prevent users from conne > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -972,28 +984,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1010,19 +1028,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer. +This setting hides Properties on the context menu for Computer. If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. If you disable or do not configure this setting, the Properties option is displayed as usual. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1041,28 +1054,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1079,7 +1098,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. +This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: @@ -1090,12 +1109,7 @@ If you enable this policy setting, the Properties menu command will not be displ If you disable or do not configure this policy setting, the Properties menu command is displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1114,28 +1128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1152,19 +1172,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. +Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1183,28 +1198,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1221,7 +1242,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon. +Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. @@ -1231,12 +1252,6 @@ This setting does not prevent the user from using other methods to gain access t > To make changes to this setting effective, you must log off and then log back on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1255,28 +1270,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1293,19 +1314,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu. +Removes the Properties option from the Recycle Bin context menu. If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. If you disable or do not configure this setting, the Properties option is displayed as usual. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1324,28 +1340,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1362,17 +1384,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop. +Prevents users from saving certain changes to the desktop. If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1391,28 +1408,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1429,19 +1452,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. +Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1460,28 +1477,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1498,7 +1521,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops. +Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. @@ -1512,12 +1535,6 @@ Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Pr > This setting does not apply to remote desktop server sessions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1536,28 +1553,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1574,19 +1597,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop. +Prevents users from adding Web content to their Active Desktop. This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. Also, see the "Disable all items" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1605,28 +1622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1643,7 +1666,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop. +Prevents users from removing Web content from their Active Desktop. In Active Desktop, you can add items to the desktop but close them so they are not displayed. @@ -1653,12 +1676,7 @@ If you enable this setting, items added to the desktop cannot be closed; they al > This setting does not prevent users from deleting items from their Active Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1677,28 +1695,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1715,7 +1739,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop. +Prevents users from deleting Web content from their Active Desktop. This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. @@ -1724,12 +1748,7 @@ This setting does not prevent users from adding Web content to their Active Desk Also, see the "Prohibit closing items" and "Disable all items" settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1748,28 +1767,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1786,17 +1811,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop. +Prevents users from changing the properties of Web content items on their Active Desktop. This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1815,28 +1835,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1853,7 +1879,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content. +Removes Active Desktop content and prevents users from adding Active Desktop content. This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. @@ -1861,12 +1887,7 @@ This setting removes all Active Desktop items from the desktop. It also removes > This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1885,28 +1906,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1923,7 +1950,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items. +Adds and deletes specified Web content items. You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. @@ -1936,12 +1963,7 @@ You can also use this setting to delete particular Web-based items from users' d > For this setting to take affect, you must log off and log on to the system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1960,28 +1982,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1998,7 +2026,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars. +Prevents users from manipulating desktop toolbars. If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. @@ -2011,12 +2039,7 @@ If you enable this setting, users cannot add or remove toolbars from the desktop Also, see the "Prohibit adjusting desktop toolbars" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2035,28 +2058,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2073,7 +2102,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. +Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. This setting does not prevent users from adding or removing toolbars on the desktop. @@ -2083,12 +2112,7 @@ This setting does not prevent users from adding or removing toolbars on the desk Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2107,28 +2131,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2145,17 +2175,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". +Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2168,7 +2193,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 470b11eb3f..b8b64ce774 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceInstallation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -57,28 +62,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -95,19 +106,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. +This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -126,28 +132,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -164,19 +176,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. +This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -195,28 +202,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -233,19 +246,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. +This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,28 +272,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -302,19 +316,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. +This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -333,28 +342,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -371,7 +386,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. +This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. @@ -380,12 +395,7 @@ If you disable or do not configure this policy setting, the system does not forc Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -404,28 +414,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -442,18 +458,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -472,28 +483,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -510,19 +527,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. +This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. If you enable this policy setting, Windows does not create a system restore point when one would normally be created. If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -541,28 +553,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -579,7 +597,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. +This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. @@ -587,12 +605,7 @@ If you disable or do not configure this policy setting, only members of the Admi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -605,6 +618,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index 8816d46b2e..17ee9b18a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceSetup -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -77,19 +88,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. +This policy setting allows you to turn off "Found New Hardware" balloons during device installation. If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -108,28 +114,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -146,7 +158,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. +This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. @@ -155,12 +167,6 @@ Note that searching always implies that Windows will attempt to search Windows U If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -173,7 +179,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index b41032d0f8..e9379aa5be 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DigitalLocker -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -77,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. +This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -86,12 +97,7 @@ If you enable this setting, Digital Locker will not run. If you disable or do not configure this setting, Digital Locker can be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -110,28 +116,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?Editionwindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -148,7 +160,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. +This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -157,12 +169,7 @@ If you enable this setting, Digital Locker will not run. If you disable or do not configure this setting, Digital Locker can be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -175,8 +182,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md new file mode 100644 index 0000000000..2c19a0ace8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -0,0 +1,266 @@ +--- +title: Policy CSP - ADMX_DiskNVCache +description: Policy CSP - ADMX_DiskNVCache +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DiskNVCache + + +
+ + +## ADMX_DiskNVCache policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +
+
+ ADMX_DiskNVCache/BootResumePolicy +
+
+ ADMX_DiskNVCache/FeatureOffPolicy +
+
+ ADMX_DiskNVCache/SolidStatePolicy +
+
+ + +
+ + +**ADMX_DiskNVCache/BootResumePolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system. + +If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. + +If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. +The system determines the data that will be stored in the NV cache to optimize boot and resume. + +The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. + +This policy setting is applicable only if the NV cache feature is on. + + + + +ADMX Info: +- GP Friendly name: *Turn off boot and resume optimizations* +- GP name: *BootResumePolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + +
+ +**ADMX_DiskNVCache/FeatureOffPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. + +To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. + +If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. + +If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. + +This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. + + + + + + +ADMX Info: +- GP Friendly name: *Turn off non-volatile cache feature* +- GP name: *FeatureOffPolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + + +
+ + +**ADMX_DiskNVCache/SolidStatePolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns off the solid state mode for the hybrid hard disks. + +If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. + +If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. + +This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on. + + + + + +ADMX Info: +- GP Friendly name: *Turn off solid state mode* +- GP name: *SolidStatePolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md new file mode 100644 index 0000000000..16ccbf1dce --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -0,0 +1,500 @@ +--- +title: Policy CSP - ADMX_DiskQuota +description: Policy CSP - ADMX_DiskQuota +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DiskQuota + + +
+ +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +## ADMX_DiskQuota policies + + +
+
+ ADMX_DiskQuota/DQ_RemovableMedia +
+
+ ADMX_DiskQuota/DQ_Enable +
+
+ ADMX_DiskQuota/DQ_Enforce +
+
+ ADMX_DiskQuota/DQ_LogEventOverLimit +
+
+ ADMX_DiskQuota/DQ_LogEventOverThreshold +
+
+ ADMX_DiskQuota/DQ_Limit +
+
+ + +
+ + +**ADMX_DiskQuota/DQ_RemovableMedia** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media. + +If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. + +When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. + + + + +ADMX Info: +- GP Friendly name: *Apply policy to removable media* +- GP name: *DQ_RemovableMedia* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + +**ADMX_DiskQuota/DQ_Enable** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. + +If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. + +If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on. + +To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. + +This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. + +To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + +To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." + + + + +ADMX Info: +- GP Friendly name: *Enable disk quotas* +- GP name: *DQ_Enable* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_Enforce** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting. + +If you enable this policy setting, disk quota limits are enforced. + +If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect. + +If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available. + +This policy setting overrides user settings that enable or disable quota enforcement on their volumes. + +To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + + + + +ADMX Info: +- GP Friendly name: *Enforce disk quota limit* +- GP name: *DQ_Enforce* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_LogEventOverLimit** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. + +If you enable this policy setting, the system records an event when the user reaches their limit. + +If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. + +This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes. + +To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + + +ADMX Info: +- GP Friendly name: *Log event when quota limit is exceeded* +- GP name: *DQ_LogEventOverLimit* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + +
+ + + +**ADMX_DiskQuota/DQ_LogEventOverThreshold** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. + +If you enable this policy setting, the system records an event. + +If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect. + +If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes. + +To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + +ADMX Info: +- GP Friendly name: *Log event when quota warning level is exceeded* +- GP name: *DQ_LogEventOverThreshold* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_Limit** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies the default disk quota limit and warning level for new users of the volume. +This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit. + +This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. +This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). + +If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group. + +This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. + + + + +ADMX Info: +- GP Friendly name: *Specify default quota limit and warning level* +- GP name: *DQ_Limit* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 1151c3fbae..ed55f58aa5 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DistributedLinkTracking -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. +This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless the DLT server is running on all domain controllers in the domain. @@ -83,12 +94,6 @@ This policy should not be set unless the DLT server is running on all domain con > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -101,8 +106,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 6d020b3a32..f1dc91e8d4 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_DnsClient -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -99,28 +103,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -137,19 +147,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. +This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -167,28 +172,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -205,7 +216,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. +This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. @@ -220,12 +231,6 @@ If you disable this policy setting, no suffixes are appended to unqualified mult If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -244,28 +249,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -282,19 +293,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. +This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -313,28 +319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -351,7 +363,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. +This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -375,12 +387,7 @@ If you enable this policy setting and DNS devolution is also enabled, DNS client If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -400,28 +407,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -438,19 +451,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. +This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -469,28 +477,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -507,19 +521,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. +This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -538,28 +547,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -576,7 +591,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. +This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. @@ -585,12 +600,7 @@ If you enable this policy setting, the list of DNS servers is applied to all net If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -609,28 +619,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -647,7 +663,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. @@ -657,12 +673,6 @@ If you disable this policy setting, or if you do not configure this policy setti > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -682,28 +692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -720,7 +736,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. +This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. @@ -733,12 +749,7 @@ You can use this policy setting to prevent users, including local administrators If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -757,28 +768,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -795,7 +812,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. +This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. @@ -807,12 +824,7 @@ Important: This policy setting is ignored on a DNS client computer if dynamic DN If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -831,28 +843,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -869,7 +887,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records. +This policy setting specifies if DNS client computers will register PTR resource records. By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. @@ -883,12 +901,7 @@ To use this policy setting, click Enabled, and then select one of the following If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -907,28 +920,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -945,19 +964,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. +This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -976,28 +990,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1014,7 +1034,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. +This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. @@ -1025,12 +1045,7 @@ If you enable this policy setting or if you do not configure this policy setting If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1049,28 +1064,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1087,7 +1108,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. +This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. @@ -1101,12 +1122,7 @@ If you enable this policy setting, registration refresh interval that you specif If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1125,28 +1141,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1163,7 +1185,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. +This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). @@ -1172,12 +1194,7 @@ If you enable this policy setting, the TTL value that you specify will be applie If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1196,28 +1213,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1234,7 +1257,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. +This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." @@ -1247,12 +1270,7 @@ If you enable this policy setting, one DNS suffix is attached at a time for each If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1272,28 +1290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1310,19 +1334,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. +This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1341,28 +1360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1379,7 +1404,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. @@ -1389,12 +1414,6 @@ If you disable this policy setting, or if you do not configure this policy setti > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1413,28 +1432,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1451,7 +1475,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates. +This policy setting specifies the security level for dynamic DNS updates. To use this policy setting, click Enabled and then select one of the following values: @@ -1464,12 +1488,7 @@ If you enable this policy setting, computers that attempt to send dynamic DNS up If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1488,28 +1507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1526,7 +1551,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." +This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. @@ -1535,12 +1560,7 @@ If you enable this policy setting, computers send dynamic updates to any zone th If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1559,28 +1579,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1597,7 +1623,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. +This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -1622,12 +1648,7 @@ If you enable this policy setting, or if you do not configure this policy settin If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1646,28 +1667,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1684,7 +1711,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. +This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. @@ -1693,12 +1720,7 @@ If you enable this policy setting, LLMNR will be disabled on all available netwo If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1710,7 +1732,5 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index ad2161edfc..b8fc8128ce 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DWM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -51,28 +56,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -89,7 +100,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -99,12 +110,6 @@ If you disable or do not configure this policy setting, the default internal col > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -124,28 +129,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -162,7 +173,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -172,12 +183,7 @@ If you disable or do not configure this policy setting, the default internal col > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,28 +202,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -234,7 +246,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -243,12 +255,7 @@ If you disable or do not configure this policy setting, window animations are tu Changing this policy setting requires a logoff for it to be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -267,28 +274,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -305,7 +317,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -314,12 +326,7 @@ If you disable or do not configure this policy setting, window animations are tu Changing this policy setting requires a logoff for it to be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -338,28 +345,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -376,7 +389,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. +This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -386,12 +399,7 @@ If you disable or do not configure this policy setting, you allow users to chang > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -410,28 +418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -448,7 +462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. +This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -458,12 +472,6 @@ If you disable or do not configure this policy setting, you allow users to chang > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -476,7 +484,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 454bd47f86..f339803e93 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EAIME -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -69,29 +74,33 @@ manager: dansimp - - + + + - + + - + + - - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -107,7 +116,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. +This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. @@ -119,12 +128,7 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -143,28 +147,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -181,7 +190,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter. +This policy setting allows you to restrict character code range of conversion by setting character filter. If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: @@ -205,12 +214,7 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -229,28 +233,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -267,7 +277,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary. +This policy setting allows you to turn off the ability to use a custom dictionary. If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. @@ -281,12 +291,7 @@ This policy setting is applied to Japanese Microsoft IME. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -305,28 +310,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -343,7 +354,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input. +This policy setting allows you to turn off history-based predictive input. If you enable this policy setting, history-based predictive input is turned off. @@ -355,12 +366,6 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -379,28 +384,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -417,7 +428,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration. +This policy setting allows you to turn off Internet search integration. Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. @@ -431,12 +442,7 @@ This policy setting applies to Japanese Microsoft IME. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -455,28 +461,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -493,7 +505,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary. +This policy setting allows you to turn off Open Extended Dictionary. If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. @@ -504,12 +516,7 @@ If you disable or do not configure this policy setting, Open Extended Dictionary This policy setting is applied to Japanese Microsoft IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -528,28 +535,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -566,7 +579,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file. +This policy setting allows you to turn off saving the auto-tuning result to file. If you enable this policy setting, the auto-tuning data is not saved to file. @@ -575,12 +588,7 @@ If you disable or do not configure this policy setting, auto-tuning data is save This policy setting applies to Japanese Microsoft IME only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -599,28 +607,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -637,7 +651,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. +This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -648,12 +662,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -672,28 +681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -710,7 +725,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. +This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -721,12 +736,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -745,28 +755,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -783,7 +799,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. +This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. @@ -794,12 +810,7 @@ If you don't configure this policy setting, it will be turned on by default, and This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -818,28 +829,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -856,7 +873,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online. +This policy setting controls the live sticker feature, which uses an online service to provide stickers online. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. @@ -867,12 +884,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -891,28 +903,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -929,7 +947,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report. +This policy setting allows you to turn on logging of misconversion for the misconversion report. If you enable this policy setting, misconversion logging is turned on. @@ -938,12 +956,7 @@ If you disable or do not configure this policy setting, misconversion logging is This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -956,7 +969,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index d5cdf442da..c302a45683 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EncryptFilesonMove -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. +This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. @@ -83,12 +94,7 @@ If you disable or do not configure this policy setting, File Explorer automatica This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,8 +107,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index a77d1438d2..2d325be21b 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EnhancedStorage -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -51,28 +56,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -89,19 +100,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. +This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -120,28 +125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -158,19 +169,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. +This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -189,28 +194,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -227,19 +238,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. +This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -258,28 +263,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -296,19 +307,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. +This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -327,28 +332,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -365,7 +376,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked. +This policy setting locks Enhanced Storage devices when the computer is locked. This policy setting is supported in Windows Server SKUs only. @@ -374,12 +385,6 @@ If you enable this policy setting, the Enhanced Storage device remains locked wh If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -398,28 +403,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -436,19 +447,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. +This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -461,8 +466,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index f54ecfc994..ddb1aea9f8 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_ErrorReporting -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_ErrorReporting policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_ErrorReporting/PCH_AllOrNoneDef @@ -120,28 +125,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -158,7 +169,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. +This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. @@ -171,12 +182,6 @@ This policy setting is ignored if the Configure Error Reporting policy setting i For related information, see the Configure Error Reporting and Report Operating System Errors policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -195,28 +200,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -233,7 +244,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. @@ -242,12 +253,6 @@ If this policy setting is enabled, the Exclude errors for applications on this l If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -266,28 +271,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -304,7 +315,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies applications for which Windows Error Reporting should always report errors. +This policy setting specifies applications for which Windows Error Reporting should always report errors. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. @@ -319,12 +330,7 @@ Also see the "Default Application Reporting" and "Application Exclusion List" po This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -343,28 +349,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -381,7 +393,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. +This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. @@ -409,12 +421,6 @@ If you disable this policy setting, configuration settings in the policy setting See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -433,28 +439,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -471,7 +483,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. +This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. If you enable this policy setting, Windows Error Reporting includes operating system errors. @@ -482,12 +494,6 @@ If you do not configure this policy setting, users can change this setting in Co See also the Configure Error Reporting policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -506,28 +512,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -544,19 +556,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. +This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -575,28 +581,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -613,19 +625,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. +This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -644,28 +650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -682,19 +694,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -713,28 +719,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markNoNo
@@ -751,20 +763,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Automatically send memory dumps for OS-generated error reports* @@ -782,28 +786,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -820,19 +830,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -851,28 +855,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -889,19 +899,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -920,28 +924,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -958,19 +968,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. +This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -989,28 +993,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1027,19 +1037,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. +This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1058,28 +1062,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1096,19 +1106,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1127,28 +1131,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1165,19 +1175,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1196,28 +1200,34 @@ ADMX Info: - - + + + - +` - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1234,19 +1244,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). +This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1265,28 +1269,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markYesYes
@@ -1303,7 +1312,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the consent behavior of Windows Error Reporting for specific event types. +This policy setting determines the consent behavior of Windows Error Reporting for specific event types. If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. @@ -1320,12 +1329,6 @@ If you enable this policy setting, you can add specific event types to a list by If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1344,28 +1347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markYesYes
@@ -1382,19 +1391,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. +This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1413,28 +1416,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1451,19 +1460,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. +This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1482,28 +1485,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1520,7 +1529,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. +This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: @@ -1535,12 +1544,6 @@ If you enable this policy setting, you can set the default consent handling for If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1559,28 +1562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1597,7 +1606,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. +This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: @@ -1612,12 +1621,6 @@ If you enable this policy setting, you can set the default consent handling for If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1636,28 +1639,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1674,19 +1683,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1705,28 +1708,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1743,7 +1752,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. @@ -1751,12 +1760,6 @@ If you disable or do not configure this policy setting, errors are reported on a -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1775,28 +1778,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1813,19 +1822,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. +This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1844,28 +1847,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1882,19 +1891,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. +This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1913,28 +1916,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1951,19 +1960,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. +This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1982,28 +1985,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2020,19 +2029,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2051,28 +2054,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2089,7 +2098,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. +This policy setting determines the behavior of the Windows Error Reporting report queue. If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. @@ -2098,12 +2107,6 @@ The Maximum number of reports to queue setting determines how many reports can b If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2122,28 +2125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2160,7 +2169,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. +This policy setting determines the behavior of the Windows Error Reporting report queue. If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. @@ -2169,12 +2178,6 @@ The Maximum number of reports to queue setting determines how many reports can b If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -2187,7 +2190,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index bd419345c7..6c88919cf8 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -14,14 +14,19 @@ manager: dansimp # Policy CSP - ADMX_EventForwarding -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_EventForwarding policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_EventForwarding/ForwarderResourceUsage @@ -40,28 +45,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -78,7 +89,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. +This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. @@ -87,12 +98,7 @@ If you disable or do not configure this policy setting, forwarder resource usage This setting applies across all subscriptions for the forwarder (source computer). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,29 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -151,7 +162,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. +This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. @@ -167,12 +178,6 @@ When using the HTTP protocol, use port 5985. If you disable or do not configure this policy setting, the Event Collector computer will not be specified. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -185,8 +190,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index 7c171edf2e..acc2191553 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_EventLog -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_EventLog policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_EventLog/Channel_LogEnabled @@ -96,28 +101,33 @@ manager: dansimp - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -134,19 +144,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting turns on logging. +This policy setting turns on logging. If you enable or do not configure this policy setting, then events can be written to this log. If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -165,28 +169,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -203,19 +213,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -234,28 +238,33 @@ ADMX Info: - - + + + - + + - - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross mark
NoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -272,19 +281,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -303,28 +306,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -341,19 +350,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -372,28 +375,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -410,19 +419,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this policy setting. If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -441,28 +444,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -479,19 +488,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size of the log file in kilobytes. +This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -510,28 +513,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -548,7 +557,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -557,12 +566,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -581,28 +584,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -619,7 +628,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -628,12 +637,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -652,28 +655,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -690,7 +699,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -699,12 +708,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -723,28 +726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -761,7 +770,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. +This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. @@ -770,12 +779,6 @@ If you disable this policy setting and the "Retain old events" policy setting is If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -794,28 +797,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -832,7 +841,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -842,12 +851,6 @@ If you disable or do not configure this policy setting, all authenticated users > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -866,28 +869,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -904,7 +913,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. @@ -914,12 +923,6 @@ If you disable or do not configure this policy setting, only system software and > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -938,28 +941,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -976,7 +985,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -986,12 +995,6 @@ If you disable or do not configure this policy setting, all authenticated users > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1010,28 +1013,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1048,7 +1057,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. @@ -1058,12 +1067,6 @@ If you disable or do not configure this policy setting, only system software and > If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1082,28 +1085,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1120,7 +1128,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -1129,12 +1137,6 @@ If you disable this policy setting, all authenticated users and system services If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1153,28 +1155,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1191,7 +1199,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. @@ -1200,12 +1208,6 @@ If you disable this policy setting, only system software and administrators can If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1224,28 +1226,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1262,7 +1270,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users matching the security descriptor can access the log. @@ -1271,12 +1279,6 @@ If you disable this policy setting, all authenticated users and system services If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1295,28 +1297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1333,7 +1341,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. @@ -1342,12 +1350,6 @@ If you disable this policy setting, only system software and administrators can If you do not configure this policy setting, the previous policy setting configuration remains in effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1366,28 +1368,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markNoNo
Educationcross markYesYes
@@ -1404,7 +1412,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. @@ -1413,12 +1421,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1437,28 +1439,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1475,7 +1483,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. @@ -1484,12 +1492,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1503,33 +1505,40 @@ ADMX Info:
-**ADMX_EventLog/Channel_Log_Retention_4** +**ADMX_EventLog/Channel_Log_Retention_4** + - - + + + - + + - + + - + + - + + > - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1546,7 +1555,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. @@ -1555,12 +1564,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1573,7 +1576,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index be619c2c3b..c7514101dd 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_Explorer -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_Explorer policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_Explorer/AdminInfoUrl @@ -48,28 +53,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -86,15 +97,9 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. +Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -113,28 +118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -163,14 +174,6 @@ If you disable or do not configure this policy setting, the menu bar will not be > [!NOTE] > When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - ADMX Info: - GP Friendly name: *Display the menu bar in File Explorer* @@ -188,28 +191,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -226,17 +235,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. +This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -255,28 +258,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -293,7 +302,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. +This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. @@ -303,12 +312,6 @@ If you disable or do not configure this policy setting, users will be able to ad > Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -327,28 +330,33 @@ ADMX Info: - - + + + - + + - - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross mark
NoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -365,15 +373,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. +This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -386,6 +388,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 7f2635d2ab..aeb520d2ea 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -13,9 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FileRecovery -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -34,28 +38,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -75,12 +85,7 @@ manager: dansimp > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -90,8 +95,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 2896e4cc5a..416b833dea 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_FileServerVSSProvider -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. +This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. @@ -84,12 +95,6 @@ By default, the RPC protocol message between File Server VSS provider and File S > To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -102,8 +107,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 079c55e92e..54c474440a 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -13,13 +13,18 @@ manager: dansimp --- # Policy CSP - ADMX_FileSys -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-## ADMX_FileSys policies +## ADMX_FileSys policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -55,28 +60,33 @@ manager: dansimp **ADMX_FileSys/DisableCompression** - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markYesYes
@@ -93,15 +103,10 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. +Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -119,28 +124,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -157,19 +168,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. +Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. A value of 1 will disable delete notifications for all volumes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -186,28 +191,34 @@ ADMX Info: **ADMX_FileSys/DisableEncryption** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -224,15 +235,8 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. +Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -249,28 +253,34 @@ ADMX Info: **ADMX_FileSys/EnablePagefileEncryption** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -287,15 +297,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. +Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -312,28 +316,34 @@ ADMX Info: **ADMX_FileSys/LongPathsEnabled** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -350,15 +360,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. +Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -375,28 +379,34 @@ ADMX Info: **ADMX_FileSys/ShortNameCreationSettings** - - + + + - + + - + + - + + - + + - +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYes + Yes
@@ -413,17 +423,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. +This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -441,28 +445,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -479,7 +489,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: +Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: - Local Link to a Local Target - Local Link to a Remote Target @@ -492,12 +502,6 @@ For more information, refer to the Windows Help section. > If this policy is disabled or not configured, local administrators may select the types of symbolic links to be evaluated. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -514,28 +518,34 @@ ADMX Info: **ADMX_FileSys/TxfDeprecatedFunctionality** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -552,15 +562,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. +TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -573,8 +578,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index ed28fb4638..9bdab22253 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_FolderRedirection -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_FolderRedirection policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_FolderRedirection/DisableFRAdminPin @@ -53,28 +58,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -91,7 +102,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. +This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you enable this policy setting, users must manually select the files they wish to make available offline. @@ -105,12 +116,6 @@ If you disable or do not configure this policy setting, redirected shell folders > If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -128,28 +133,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -166,7 +177,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether individual redirected shell folders are available offline by default. +This policy setting allows you to control whether individual redirected shell folders are available offline by default. For the folders affected by this setting, users must manually select the files they wish to make available offline. @@ -178,12 +189,6 @@ If you disable or do not configure this policy setting, all redirected shell fol > The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline". -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -202,28 +207,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -240,19 +251,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. +This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -271,28 +276,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markYesYes
@@ -309,7 +319,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -319,12 +329,6 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W > This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -343,28 +347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -381,7 +391,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. +This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. @@ -391,12 +401,6 @@ If you disable or not configure this policy setting, Windows Vista, Windows 7, W > This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -414,28 +418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -452,7 +462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -464,12 +474,6 @@ If you disable or do not configure this policy setting and the user has redirect > If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -487,28 +491,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -525,7 +535,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. @@ -537,12 +547,7 @@ If you disable or do not configure this policy setting and the user has redirect > If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -555,8 +560,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 857ff5d89f..812087e3a5 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_Globalization -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_Globalization policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_Globalization/BlockUserInputMethodsForSignIn @@ -105,28 +110,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -143,7 +154,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. +This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. @@ -152,12 +163,7 @@ If the policy is Enabled, then the user will get input methods enabled for the s If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -176,28 +182,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -214,7 +226,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. +This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. @@ -229,12 +241,6 @@ If this policy setting is enabled at the machine level, it cannot be disabled by To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -253,28 +259,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -291,7 +303,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. +This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. @@ -306,12 +318,6 @@ If this policy setting is enabled at the machine level, it cannot be disabled by To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -330,28 +336,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -368,7 +380,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Administrative options from the Region settings control panel. +This policy setting removes the Administrative options from the Region settings control panel. Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically. @@ -383,12 +395,6 @@ If you disable or do not configure this policy setting, the user can see the Adm -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -407,28 +413,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -445,7 +457,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. +This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. This policy setting is used only to simplify the Regional Options control panel. @@ -457,12 +469,6 @@ If you disable or do not configure this policy setting, the user sees the option > Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -481,28 +487,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -519,7 +531,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. +This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. This policy setting is used only to simplify the Regional Options control panel. @@ -530,12 +542,6 @@ If you enable this policy setting, the user does not see the option for changing -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -554,28 +560,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -592,7 +604,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the regional formats interface from the Region settings control panel. +This policy setting removes the regional formats interface from the Region settings control panel. This policy setting is used only to simplify the Regional and Language Options control panel. @@ -601,12 +613,6 @@ If you enable this policy setting, the user does not see the regional formats op If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -625,28 +631,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -663,7 +675,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. +This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. @@ -684,12 +696,6 @@ This policy setting is related to the "Turn off handwriting personalization" pol > Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -708,28 +714,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -746,7 +758,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization. +This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. @@ -767,12 +779,6 @@ This policy setting is related to the "Turn off handwriting personalization" pol > Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -791,28 +797,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -829,7 +841,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. +This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). @@ -838,12 +850,6 @@ If you enable this policy setting, administrators can select a system locale onl If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -862,28 +868,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -900,7 +912,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. @@ -911,12 +923,6 @@ If you enable this policy setting, only locales in the specified locale list can If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -935,28 +941,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -973,7 +985,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. @@ -986,12 +998,6 @@ If you disable or do not configure this policy setting, users can select any loc If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1010,28 +1016,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1048,7 +1059,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for all users. +This policy setting restricts the Windows UI language for all users. This is a policy setting for computers with more than one UI language installed. @@ -1057,12 +1068,6 @@ If you enable this policy setting, the UI language of Windows menus and dialogs If you disable or do not configure this policy setting, the user can specify which UI language is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1081,28 +1086,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1119,7 +1130,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for specific users. +This policy setting restricts the Windows UI language for specific users. This policy setting applies to computers with more than one UI language installed. @@ -1130,12 +1141,6 @@ If you disable or do not configure this policy setting, there is no restriction To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1154,28 +1159,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1192,7 +1203,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). +This policy setting prevents users from changing their user geographical location (GeoID). If you enable this policy setting, users cannot change their GeoID. @@ -1203,12 +1214,6 @@ If you enable this policy setting at the computer level, it cannot be disabled b To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1227,28 +1232,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1265,7 +1276,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID). +This policy setting prevents users from changing their user geographical location (GeoID). If you enable this policy setting, users cannot change their GeoID. @@ -1276,12 +1287,6 @@ If you enable this policy setting at the computer level, it cannot be disabled b To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1300,28 +1305,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + + >
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1338,7 +1349,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. +This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. @@ -1353,12 +1364,6 @@ If this policy is set to Enabled at the computer level, then it cannot be disabl To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1377,28 +1382,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1415,7 +1426,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides. +This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. @@ -1430,12 +1441,6 @@ If this policy is set to Enabled at the computer level, then it cannot be disabl To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1454,28 +1459,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1492,7 +1503,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. +This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. @@ -1501,12 +1512,6 @@ To enable this policy setting in Windows Vista, use the "Restricts the UI langua If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1525,28 +1530,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1563,7 +1574,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. @@ -1573,12 +1584,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1597,28 +1602,34 @@ ADMX Info: - - + + + - + + - + + /td> - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1635,7 +1646,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. @@ -1646,12 +1657,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1670,28 +1675,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1708,7 +1719,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. @@ -1718,12 +1729,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1742,28 +1747,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1780,7 +1791,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. +This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. @@ -1791,12 +1802,6 @@ If the policy is Disabled or Not Configured, then the user will be free to chang Note that the availability and function of this setting is dependent on supported languages being enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1815,28 +1820,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1853,7 +1864,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how programs interpret two-digit years. +This policy setting determines how programs interpret two-digit years. This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. @@ -1864,12 +1875,6 @@ For example, the default value, 2029, specifies that all two-digit years less th If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1882,7 +1887,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md new file mode 100644 index 0000000000..f26e77cac0 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -0,0 +1,249 @@ +--- +title: Policy CSP - ADMX_iSCSI +description: Policy CSP - ADMX_iSCSI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_iSCSI + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_iSCSI policies + +
+
+ ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +
+
+ ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +
+
+ ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +
+
+ + +
+ + +**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. + +If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. + + + + + +ADMX Info: +- GP English name: *Do not allow manual configuration of iSNS servers* +- GP name: *iSCSIGeneral_RestrictAdditionalLogins* +- GP path: *System\iSCSI\iSCSI Target Discovery* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + +**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. + +If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. + + + + +ADMX Info: +- GP English name: *Do not allow manual configuration of target portals* +- GP name: *iSCSIGeneral_ChangeIQNName* +- GP path: *System\iSCSI\iSCSI Target Discovery* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + +**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then do not allow the initiator CHAP secret to be changed. + +If disabled then the initiator CHAP secret may be changed. + + + + + +ADMX Info: +- GP English name: *Do not allow changes to initiator CHAP secret* +- GP name: *iSCSISecurity_ChangeCHAPSecret* +- GP path: *System\iSCSI\iSCSI Security* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md new file mode 100644 index 0000000000..64a89c8ccf --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -0,0 +1,646 @@ +--- +title: Policy CSP - ADMX_PreviousVersions +description: Policy CSP - ADMX_PreviousVersions +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PreviousVersions + +
+ + +## ADMX_PreviousVersions policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_PreviousVersions/DisableLocalPage_1 +
+
+ ADMX_PreviousVersions/DisableLocalPage_2 +
+
+ ADMX_PreviousVersions/DisableRemotePage_1 +
+
+ ADMX_PreviousVersions/DisableRemotePage_2 +
+
+ ADMX_PreviousVersions/HideBackupEntries_1 +
+
+ ADMX_PreviousVersions/HideBackupEntries_2 +
+
+ ADMX_PreviousVersions/DisableLocalRestore_1 +
+
+ ADMX_PreviousVersions/DisableLocalRestore_2 +
+
+ + +
+ + +**ADMX_PreviousVersions/DisableLocalPage_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. + +- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring local previous versions* +- GP name: *DisableLocalPage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/DisableLocalPage_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. + +- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring local previous versions* +- GP name: *DisableLocalPage_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/DisableRemotePage_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableRemotePage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/DisableRemotePage_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableRemotePage_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + +
+ + +**ADMX_PreviousVersions/HideBackupEntries_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. + +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. + +If you do not configure this policy setting, it is disabled by default. + + + + + +ADMX Info: +- GP Friendly name: *Hide previous versions of files on backup location* +- GP name: *HideBackupEntries_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/HideBackupEntries_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. + +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. + +If you do not configure this policy setting, it is disabled by default. + + + + + +ADMX Info: +- GP Friendly name: *Hide previous versions of files on backup location* +- GP name: *HideBackupEntries_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + +
+ + +**ADMX_PreviousVersions/DisableLocalRestore_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableLocalRestore_1* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + +
+ +**ADMX_PreviousVersions/DisableLocalRestore_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. + +- If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + +ADMX Info: +- GP Friendly name: *Prevent restoring remote previous versions* +- GP name: *DisableLocalRestore_2* +- GP path: *Windows Components\File Explorer\Previous Versions* +- GP ADMX file name: *PreviousVersions.admx* + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md new file mode 100644 index 0000000000..2dd314e5ca --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -0,0 +1,103 @@ +--- +title: Policy CSP - ADMX_PushToInstall +description: Policy CSP - ADMX_PushToInstall +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PushToInstall + +
+ + +## ADMX_PushToInstall policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_PushToInstall/DisablePushToInstall +
+
+ + +
+ + +**ADMX_PushToInstall/DisablePushToInstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. + + + + +ADMX Info: +- GP Friendly name: *Turn off Push To Install service* +- GP name: *DisablePushToInstall* +- GP path: *Windows Components\Push To Install* +- GP ADMX file name: *PushToInstall.admx* + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md new file mode 100644 index 0000000000..f1161f6d53 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_Radar +description: Policy CSP - ADMX_Radar +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Radar + +
+ + +## ADMX_Radar policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_Radar/WdiScenarioExecutionPolicy +
+
+ + +
+ + +**ADMX_Radar/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution. + +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes. + +These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS. + +If you do not configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Configure Scenario Execution Level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution* +- GP ADMX file name: *Radar.admx* + +
+ + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md new file mode 100644 index 0000000000..f19401826c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_sdiagschd +description: Policy CSP - ADMX_sdiagschd +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_sdiagschd + +
+ + +## ADMX_sdiagschd policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +
+
+ + +
+ + +**ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy determines whether scheduled diagnostics will run to proactively detect and resolve system problems. + +- If you enable this policy setting, you must choose an execution level. + +If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. +If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis. + +If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Configure Scheduled Maintenance Behavior* +- GP name: *ScheduledDiagnosticsExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Scheduled Maintenance* +- GP ADMX file name: *sdiagschd.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md new file mode 100644 index 0000000000..2bdd21ec6f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -0,0 +1,341 @@ +--- +title: Policy CSP - ADMX_ServerManager +description: Policy CSP - ADMX_ServerManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/18/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ServerManager + +
+ + +## ADMX_ServerManager policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +
+
+ ADMX_ServerManager/ServerManagerAutoRefreshRate +
+
+ ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +
+
+ ADMX_ServerManager/DoNotLaunchServerManager +
+
+ + +
+ + +**ADMX_ServerManager/Do_not_display_Manage_Your_Server_page** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of Server Manager at logon. + +- If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server. + +- If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server. + +If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console is not displayed automatically at logon. + +> [!NOTE] +> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Server Manager automatically at logon* +- GP name: *Do_not_display_Manage_Your_Server_page* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + + +**ADMX_ServerManager/ServerManagerAutoRefreshRate** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. + +- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console. + +- If you disable this policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. + +> [!NOTE] +> The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. + + + + + + +ADMX Info: +- GP Friendly name: *Configure the refresh interval for Server Manager* +- GP name: *ServerManagerAutoRefreshRate* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + +**ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2. + +- If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. + +- If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. + +If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Initial Configuration Tasks window automatically at logon* +- GP name: *DoNotLaunchInitialConfigurationTasks* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + +**ADMX_ServerManager/DoNotLaunchServerManager** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of the Manage Your Server page. + +- If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. + +- If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server. + +However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Manage Your Server page at logon* +- GP name: *DoNotLaunchServerManager* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md new file mode 100644 index 0000000000..8e63a59f12 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -0,0 +1,181 @@ +--- +title: Policy CSP - ADMX_SoundRec +description: Policy CSP - ADMX_SoundRec +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SoundRec + +
+ + +## ADMX_SoundRec policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 +
+
+ + +
+ + +**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. + +If you enable this policy setting, Sound Recorder will not run. + +If you disable or do not configure this policy setting, Sound Recorder can be run. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Sound Recorder to run* +- GP name: *Soundrec_DiableApplication_TitleText_1* +- GP path: *Windows Components\Sound Recorder* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + + +**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. + +If you enable this policy setting, Sound Recorder will not run. + +If you disable or do not configure this policy setting, Sound Recorder can be run. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Sound Recorder to run* +- GP name: *Soundrec_DiableApplication_TitleText_2* +- GP path: *Windows Components\Sound Recorder* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + + diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md new file mode 100644 index 0000000000..ade211ea40 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -0,0 +1,180 @@ +--- +title: Policy CSP - ADMX_srmfci +description: Policy CSP - ADMX_srmfci +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/18/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_srmfci + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_srmfci policies + +
+
+ ADMX_srmfci/EnableShellAccessCheck +
+
+ ADMX_srmfci/AccessDeniedConfiguration +
+
+ + +
+ + +**ADMX_srmfci/EnableShellAccessCheck** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types. + + + + + +ADMX Info: +- GP Friendly name: *Enable access-denied assistance on client for all file types* +- GP name: *EnableShellAccessCheck* +- GP path: *System\Access-Denied Assistance* +- GP ADMX file name: *srmfci.admx* + + + +
+ + +**ADMX_srmfci/AccessDeniedConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access. + +If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied. + +If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration. + +If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message. + + + + +ADMX Info: +- GP Friendly name: *Customize message for Access Denied errors* +- GP name: *AccessDeniedConfiguration* +- GP path: *System\Access-Denied Assistance* +- GP ADMX file name: *srmfci.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md new file mode 100644 index 0000000000..53648b8f57 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -0,0 +1,186 @@ +--- +title: Policy CSP - ADMX_TabletShell +description: Policy CSP - ADMX_TabletShell +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TabletShell + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_TabletShell policies + +
+
+ ADMX_TabletShell/DisableInkball_1 +
+
+ ADMX_TabletShell/DisableNoteWriterPrinting_1 +
+
+ + +
+ + +**ADMX_TabletShell/DisableInkball_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Prevents start of InkBall game. + +If you enable this policy, the InkBall game will not run. + +If you disable this policy, the InkBall game will run. If you do not configure this policy, the InkBall game will run. + + + + + +ADMX Info: +- GP Friendly name: *Do not allow Inkball to run* +- GP name: *DisableInkball_1* +- GP path: *Windows Components\Tablet PC\Accessories* +- GP ADMX file name: *TabletShell.admx* + + + + +
+ + +**ADMX_TabletShell/DisableNoteWriterPrinting_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Prevents printing to Journal Note Writer. + +If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. + +If you disable this policy, you will be able to use this feature to print to a Journal Note. If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + + + + + + +ADMX Info: +- GP Friendly name: *Do not allow printing to Journal Note Writer* +- GP name: *DisableNoteWriterPrinting_1* +- GP path: *Windows Components\Tablet PC\Accessories* +- GP ADMX file name: *TabletShell.admx* + + + +
+ + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md new file mode 100644 index 0000000000..ed42ebde3f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -0,0 +1,192 @@ +--- +title: Policy CSP - ADMX_TerminalServer +description: Policy CSP - ADMX_TerminalServer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TerminalServer + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_TerminalServer policies + +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
+
+ + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. + +If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). + +If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. + +Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. + + + + + +ADMX Info: +- GP Friendly name: *Allow time zone redirection* +- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. + +You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. + +If you enable this policy setting, users cannot redirect Clipboard data. + +If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. + +If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. + + + + + + +ADMX Info: +- GP Friendly name: *Do not allow Clipboard redirection* +- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md new file mode 100644 index 0000000000..e5ddae159b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -0,0 +1,331 @@ +--- +title: Policy CSP - ADMX_TouchInput +description: Policy CSP - ADMX_TouchInput +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TouchInput + +
+ + +## ADMX_TouchInput policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_TouchInput/TouchInputOff_1 +
+
+ ADMX_TouchInput/TouchInputOff_2 +
+
+ ADMX_TouchInput/PanningEverywhereOff_1 +
+
+ ADMX_TouchInput/PanningEverywhereOff_2 +
+
+ + +
+ + +**ADMX_TouchInput/TouchInputOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Tablet PC touch input* +- GP name: *TouchInputOff_1* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + + +**ADMX_TouchInput/TouchInputOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Tablet PC touch input* +- GP name: *TouchInputOff_2* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + + +
+ + +**ADMX_TouchInput/PanningEverywhereOff_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +- If you enable this setting, the user will not be able to pan windows by touch. + +- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Touch Panning* +- GP name: *PanningEverywhereOff_1* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + +
+ +**ADMX_TouchInput/PanningEverywhereOff_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +- If you enable this setting, the user will not be able to pan windows by touch. + +- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + +ADMX Info: +- GP Friendly name: *Turn off Touch Panning* +- GP name: *PanningEverywhereOff_2* +- GP path: *Windows Components\Tablet PC\Touch Input* +- GP ADMX file name: *TouchInput.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md new file mode 100644 index 0000000000..900905feee --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -0,0 +1,185 @@ +--- +title: Policy CSP - ADMX_WDI +description: Policy CSP - ADMX_WDI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/09/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WDI + +
+ + +## ADMX_WDI policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_WDI/WdiDpsScenarioExecutionPolicy +
+
+ ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy +
+
+ + +
+ + +**ADMX_WDI/WdiDpsScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data. +- If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached. +- If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. +When the service is stopped or disabled, diagnostic scenario data will not be deleted. +The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Diagnostics: Configure scenario retention* +- GP name: *WdiDpsScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics* +- GP ADMX file name: *WDI.admx* + + + +
+ + +**ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios. + +- If you enable this policy setting, you must select an execution level from the drop-down menu. + +If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. + +- If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS. + +If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + + + + +ADMX Info: +- GP Friendly name: *Diagnostics: Configure scenario execution level* +- GP name: *WdiDpsScenarioDataSizeLimitPolicy* +- GP path: *System\Troubleshooting and Diagnostics* +- GP ADMX file name: *WDI.admx* + + + +
+ + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md new file mode 100644 index 0000000000..fe79bb59e1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -0,0 +1,182 @@ +--- +title: Policy CSP - ADMX_WindowsColorSystem +description: Policy CSP - ADMX_WindowsColorSystem +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/27/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsColorSystem + +
+ + +## ADMX_WindowsColorSystem policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 +
+
+ ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 +
+
+ + +
+ + +**WindowsColorSystem/ProhibitChangingInstalledProfileList_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting affects the ability of users to install or uninstall color profiles. + +- If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. + +- If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + + + + +ADMX Info: +- GP Friendly name: *Prohibit installing or uninstalling color profiles* +- GP name: *ProhibitChangingInstalledProfileList_1* +- GP path: *Windows Components\Windows Color System* +- GP ADMX file name: *WindowsColorSystem.admx* + + + +
+ + +**WindowsColorSystem/ProhibitChangingInstalledProfileList_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting affects the ability of users to install or uninstall color profiles. + +- If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. + +- If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + + + + +ADMX Info: +- GP Friendly name: *Prohibit installing or uninstalling color profiles* +- GP name: *ProhibitChangingInstalledProfileList_2* +- GP path: *Windows Components\Windows Color System* +- GP ADMX file name: *WindowsColorSystem.admx* + + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1c0cdcacb8..e181048e21 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -5,16 +5,15 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman +author: dansimp ms.localizationpriority: medium -ms.date: 05/02/2021 +ms.date: 09/29/2021 ms.reviewer: manager: dansimp --- # Policy CSP - LocalPoliciesSecurityOptions -
@@ -164,11 +163,10 @@ manager: dansimp
-
> [!NOTE] -> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). +> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). **LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** @@ -304,9 +302,8 @@ This security setting determines whether local accounts that are not password pr Default: Enabled. -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. +> [!WARNING] +> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. This setting does not affect logons that use domain accounts. @@ -524,9 +521,8 @@ Devices: Allow undock without having to log on. This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. -Caution: - -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. +> [!CAUTION] +> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. @@ -666,7 +662,7 @@ For a computer to print to a shared printer, the driver for that shared printer Default on servers: Enabled. Default on workstations: Disabled ->[!Note] +>[!NOTE] >This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -1413,14 +1409,14 @@ If this setting is enabled, the Microsoft network client will not communicate wi Default: Disabled. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> [!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1493,16 +1489,16 @@ If this setting is enabled, the Microsoft network client will ask the server to Default: Enabled. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. ->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> [!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +> For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1728,16 +1724,16 @@ If this setting is enabled, the Microsoft network server will not communicate wi Default: Disabled for member servers. Enabled for domain controllers. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> [!NOTE] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. ->If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1810,15 +1806,15 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack Default: Enabled on domain controllers only. ->[!Note] +> [!NOTE] > All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. ->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1896,8 +1892,8 @@ Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. ->[!Important] ->This policy has no impact on domain controllers. +> [!IMPORTANT] +> This policy has no impact on domain controllers. @@ -3189,8 +3185,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: - 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - > [!NOTE] - > Use this option only in the most constrained environments. + + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3565,8 +3562,10 @@ This policy setting controls the behavior of all User Account Control (UAC) poli The options are: - 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. - > [!NOTE] - > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 1fe9517d3d..8b1cc3fa9f 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -198,6 +198,9 @@ manager: dansimp
Update/SetProxyBehaviorForUpdateDetection
+
+ Update/TargetProductVersion +
Update/TargetReleaseVersion
@@ -4284,6 +4287,86 @@ The following list shows the supported values:
+ +**Update/TargetProductVersion** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product. + +If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information). + + + +ADMX Info: +- GP Friendly name: *Select the target Feature Update version* +- GP name: *TargetProductVersion* +- GP element: *TargetProductVersionId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”. + + + + + + + + +By using this Windows Update for Business policy to upgrade devices to a new product (ex. Windows 11) you are agreeing that when applying this operating system to a device either +(1) The applicable Windows license was purchased though volume licensing, or +(2) That you are authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms). + +
+ **Update/TargetReleaseVersion** diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 22e27a3a21..554f8d934a 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -455,6 +455,10 @@ items: href: policy-csp-admx-dfs.md - name: ADMX_DigitalLocker href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskNVCache + href: policy-csp-admx-disknvcache.md + - name: ADMX_DiskQuota + href: policy-csp-admx-diskquota.md - name: ADMX_DistributedLinkTracking href: policy-csp-admx-distributedlinktracking.md - name: ADMX_DnsClient @@ -506,7 +510,9 @@ items: - name: ADMX_ICM href: policy-csp-admx-icm.md - name: ADMX_IIS - href: policy-csp-admx-iis.md + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md - name: ADMX_kdc href: policy-csp-admx-kdc.md - name: ADMX_Kerberos @@ -555,6 +561,8 @@ items: href: policy-csp-admx-power.md - name: ADMX_PowerShellExecutionPolicy href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md - name: ADMX_Printing href: policy-csp-admx-printing.md - name: ADMX_Printing2 @@ -573,10 +581,14 @@ items: href: policy-csp-admx-scripts.md - name: ADMX_sdiageng href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md - name: ADMX_Securitycenter href: policy-csp-admx-securitycenter.md - name: ADMX_Sensors href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md - name: ADMX_Servicing href: policy-csp-admx-servicing.md - name: ADMX_SettingSync @@ -597,12 +609,18 @@ items: href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md - name: ADMX_Taskbar href: policy-csp-admx-taskbar.md - name: ADMX_tcpip href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md - name: ADMX_Thumbnails href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md - name: ADMX_TPM href: policy-csp-admx-tpm.md - name: ADMX_UserExperienceVirtualization @@ -613,10 +631,14 @@ items: href: policy-csp-admx-w32time.md - name: ADMX_WCM href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md - name: ADMX_WinCal href: policy-csp-admx-wincal.md - name: ADMX_WindowsAnytimeUpgrade href: policy-csp-admx-windowsanytimeupgrade.md + - name: ADMX_WindowsColorSystem + href: policy-csp-admx-windowscolorsystem.md - name: ADMX_WindowsConnectNow href: policy-csp-admx-windowsconnectnow.md - name: ADMX_WindowsExplorer diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 18817d1d38..cdcc9f1abd 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -134,13 +134,13 @@ href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md - name: Subscription Activation items: - - name: Windows 10 Subscription Activation + - name: Windows 10/11 Subscription Activation href: windows-10-subscription-activation.md - - name: Windows 10 Enterprise E3 in CSP + - name: Windows 10/11 Enterprise E3 in CSP href: windows-10-enterprise-e3-overview.md - name: Configure VDA for Subscription Activation href: vda-subscription-activation.md - - name: Deploy Windows 10 Enterprise licenses + - name: Deploy Windows 10/11 Enterprise licenses href: deploy-enterprise-licenses.md - name: Deploy Windows 10 updates items: diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 1101efd400..9b4d7283c3 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,10 +1,10 @@ --- -title: Deploy Windows 10 Enterprise licenses +title: Deploy Windows 10/11 Enterprise licenses ms.reviewer: manager: laurawi ms.audience: itpro ms.author: greglin -description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP +description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy @@ -16,18 +16,18 @@ author: greg-lindsay ms.topic: article --- -# Deploy Windows 10 Enterprise licenses +# Deploy Windows 10/11 Enterprise licenses -This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). +This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). ->[!NOTE] ->* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. ->* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. ->* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. ->* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing. +> [!NOTE] +> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context. +> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. +> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it does not work on per device based licensing. ->[!IMPORTANT] ->An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. +> [!IMPORTANT] +> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. > >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". @@ -50,24 +50,17 @@ If you are an EA customer with an existing Office 365 tenant, use the following - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. - -1. The admin can now assign subscription licenses to users. +2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +3. The admin can now assign subscription licenses to users. Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - 2. Click **Subscriptions**. - 3. Click **Online Services Agreement List**. - 4. Enter your agreement number, and then click **Search**. - 5. Click the **Service Name**. - 6. In the **Subscription Contact** section, click the name listed under **Last Name**. - 7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. Also in this article: @@ -76,9 +69,9 @@ Also in this article: ## Active Directory synchronization with Azure AD -You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. +You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. @@ -91,16 +84,16 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) ->[!NOTE] ->If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. +> [!NOTE] +> If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users -Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: +Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: > [!div class="mx-imgBorder"] > ![profile.](images/al01.png) @@ -121,11 +114,11 @@ The following methods are available to assign licenses: ## Explore the upgrade experience -Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? +Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices? -### Step 1: Join Windows 10 Pro devices to Azure AD +### Step 1: Join Windows 10/11 Pro devices to Azure AD -Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. +Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later. **To join a device to Azure AD the first time the device is started** @@ -176,16 +169,15 @@ Now the device is Azure AD–joined to the company's subscription. ### Step 2: Pro edition activation ->[!IMPORTANT] ->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. ->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. +> [!IMPORTANT] +> If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
Windows 10 Pro activated
Figure 7a - Windows 10 Pro activation in Settings -Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - +Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). ### Step 3: Sign in using Azure AD account @@ -197,35 +189,33 @@ Once the device is joined to your Azure AD subscription, the user will sign in b ### Step 4: Verify that Enterprise edition is enabled -You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. +You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
Windows 10 activated and subscription active **Figure 9 - Windows 10 Enterprise subscription in Settings** +If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. -If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - ->[!NOTE] ->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: ->Name: Windows(R), Professional edition ->Description: Windows(R) Operating System, RETAIL channel ->Partial Product Key: 3V66T +> [!NOTE] +> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +> Name: Windows(R), Professional edition +> Description: Windows(R) Operating System, RETAIL channel +> Partial Product Key: 3V66T ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth). +Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). ## Troubleshoot the user experience -In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: +In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: - The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. - -- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. +- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: diff --git a/windows/deployment/update/delivery-optimization-proxy.md b/windows/deployment/update/delivery-optimization-proxy.md index 5e3fa30528..a03d3f5fb1 100644 --- a/windows/deployment/update/delivery-optimization-proxy.md +++ b/windows/deployment/update/delivery-optimization-proxy.md @@ -15,7 +15,10 @@ ms.topic: article # Using a proxy with Delivery Optimization -**Applies to**: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md index 4336f3ab23..c12811fc60 100644 --- a/windows/deployment/update/delivery-optimization-workflow.md +++ b/windows/deployment/update/delivery-optimization-workflow.md @@ -17,8 +17,8 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 ## Download request workflow @@ -40,5 +40,5 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r | kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping Id
**CacheHost**: Cache host id | | cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id
**CacheHost**: Cache host id | | disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionId**: Client partitioning hint
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id | -| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identified of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identity of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | | dl.delivery.mp.microsoft.com
emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 63c9c6aa24..546749d1dd 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -81,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform, ### Using Microsoft Endpoint Manager -Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). +Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). ### Scripting common actions using PowerShell @@ -115,7 +115,7 @@ You should continue to use deployment rings as part of the servicing strategy fo ### Monitoring deployments to detect rollback issues -During a feature update deployment, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. +During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. ### How to enable deployment protections @@ -124,21 +124,16 @@ Deployment scheduling controls are always available, but to take advantage of th #### Device prerequisites -> [!NOTE] -> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - - Diagnostic data is set to *Required* or *Optional*. - The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy -To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy. - -> [!NOTE] -> Setting this policy by using Group Policy isn't currently supported. +To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy. | Policy | Sets registry key under **HKLM\\Software** | |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | \\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing | | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: @@ -184,5 +179,5 @@ Avoid using different channels to manage the same resources. If you use Microsof To learn more about the deployment service, try the following: -- [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates) +- [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) - [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index df12b64c2c..2aea9ec10f 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -20,6 +20,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** - Windows 10 +- Windows 11 > **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). @@ -116,8 +117,11 @@ Download mode dictates which download sources clients are allowed to use when do | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | +> [!NOTE] +> Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used. + >[!NOTE] ->Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. +>When you use AAD tenant, AD Site, or AD Domain as source of group IDs, that the association of devices participating in the group should not be relied on for an authentication of identity of those devices. ### Group ID @@ -160,7 +164,7 @@ In environments configured for Delivery Optimization, you might want to set an e ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. ### Absolute Max Cache Size @@ -197,8 +201,9 @@ Starting in Windows 10, version 1803, specifies the maximum background download Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. ### Select a method to restrict peer selection -Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. -Currently the only available option is **1 = Subnet mask**. The subnet mask option applies to both Download Modes LAN (1) and Group (2). +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). + +If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). ### Delay background download from http (in secs) Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ef3f3040cc..b15133d690 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -2,7 +2,7 @@ title: Set up Delivery Optimization ms.reviewer: manager: laurawi -description: In this article, learn how to set up Delivery Optimization, a new peer-to-peer distribution method in Windows 10. +description: In this article, learn how to set up Delivery Optimization. keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -15,11 +15,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Set up Delivery Optimization for Windows 10 updates +# Set up Delivery Optimization for Windows client updates **Applies to** - Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index ab8834382a..4bd4c62a37 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Delivery Optimization for Windows 10 updates +title: Delivery Optimization for Windows client updates manager: laurawi description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10. keywords: oms, operations management suite, wdav, updates, downloads, log analytics @@ -16,12 +16,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# Delivery Optimization for Windows 10 updates - +# Delivery Optimization for Windows client updates **Applies to** - Windows 10 +- Windows 11 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). @@ -29,44 +29,17 @@ Windows updates, upgrades, and applications can contain packages with very large Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. -For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). +For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. -## New in Windows 10, version 2004 +## New in Windows 10, version 20H2 and Windows 11 -- Enterprise network throttling: new settings have been added in Group Policy and mobile device management (MDM) to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface: - - ![absolute bandwidth settings in delivery optimization interface.](images/DO-absolute-bandwidth.png) - -- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache). - -- New options for [`Get-DeliveryOptimizationPerfSnap`](waas-delivery-optimization-setup.md#analyze-usage). - -- New cmdlets: - - `Enable-DeliveryOptimizationVerboseLogs` - - `Disable-DeliveryOptimizationVerboseLogs` - - `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` - -- New policy settings: - - [DOCacheHost](waas-delivery-optimization-reference.md#cache-server-hostname) - - [DOCacheHostSource](waas-delivery-optimization-reference.md#cache-server-hostname-source) - - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs); replaces DOPercentageMaxDownloadBandwidth - - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) - -- Removed policy settings (if you set these policies in Windows 10, 2004, they will have no effect): - - DOMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOPercentageMaxDownloadBandwidth; use [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) or [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) instead. - - DOMaxUploadBandwidth - -- Support for new types of downloads: - - Office installs and updates - - Xbox game pass games - - MSIX apps (HTTP downloads only) - - Microsoft Edge browser installations and updates - - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) +- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." +- Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID). +- Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. ## Requirements @@ -82,8 +55,8 @@ The following table lists the minimum Windows 10 version that supports Delivery | Download package | Minimum Windows version | |------------------|---------------| -| Windows 10 updates (feature updates and quality updates) | 1511 | -| Windows 10 drivers | 1511 | +| Windows client updates (feature updates and quality updates) | 1511 | +| Windows client drivers | 1511 | | Windows Store files | 1511 | | Windows Store for Business files | 1511 | | Windows Defender definition updates | 1511 | @@ -100,7 +73,7 @@ The following table lists the minimum Windows 10 version that supports Delivery -In Windows 10 Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +In Windows client Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. For more information, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md). @@ -242,7 +215,7 @@ Try a Telnet test between two devices on the network to ensure they can connect 2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. > [!NOTE] -> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection?view=windowsserver2019-ps) instead of Telnet to run the test. +> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test. > **Test-NetConnection -ComputerName 192.168.9.17 -Port 7680** ### None of the computers on the network are getting updates from peers @@ -254,28 +227,3 @@ Check Delivery Optimization settings that could limit participation in peer cach - Enable peer caching while the device connects using VPN. - Allow uploads when the device is on battery while under the set battery level - - - -## Learn more - -[Windows 10, Delivery Optimization, and WSUS](/archive/blogs/mniehaus/windows-10-delivery-optimization-and-wsus-take-2) - - -## Related articles - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 25ae02c985..a7081e65f1 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -1,7 +1,7 @@ --- -title: Configure VDA for Windows 10 Subscription Activation +title: Configure VDA for Windows 10/11 Subscription Activation ms.reviewer: -manager: laurawi +manager: dougeby ms.audience: itpro ms.author: greglin author: greg-lindsay @@ -18,9 +18,13 @@ ms.topic: article ms.collection: M365-modern-desktop --- -# Configure VDA for Windows 10 Subscription Activation +# Configure VDA for Windows 10/11 Subscription Activation -This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. +Applies to: +- Windows 10 +- Windows 11 + +This document describes how to configure virtual machines (VMs) to enable [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. Deployment instructions are provided for the following scenarios: 1. [Active Directory-joined VMs](#active-directory-joined-vms) @@ -29,31 +33,31 @@ Deployment instructions are provided for the following scenarios: ## Requirements -- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. +- VMs must be running Windows 10 Pro, version 1703 or later. Windows 11 is "later" in this context. - VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. -- VMs must be generation 1. -- VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). +- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). + - For more information, see [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). ## Activation ### Scenario 1 -- The VM is running Windows 10, version 1803 or later. -- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). +- The VM is running Windows 10, version 1803 or later (ex: Windows 11). +- The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH). - When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. + When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10/11 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. ### Scenario 2 - The Hyper-V host and the VM are both running Windows 10, version 1803 or later. - [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. + [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10/11 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. ### Scenario 3 -- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. +- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) partner. - In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems). + In this scenario, the underlying Windows 10/11 Pro license must be activated prior to Subscription Activation of Windows 10/11 Enterprise. Activation is accomplished using a Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems). For examples of activation issues, see [Troubleshoot the user experience](./deploy-enterprise-licenses.md#troubleshoot-the-user-experience). @@ -147,6 +151,6 @@ To create custom RDP settings for Azure: ## Related topics -[Windows 10 Subscription Activation](windows-10-subscription-activation.md) +[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) \ No newline at end of file diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 33fe4e9e80..a4d743c9db 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -1,15 +1,15 @@ --- -title: Windows 10 Enterprise E3 in CSP -description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. +title: Windows 10/11 Enterprise E3 in CSP +description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition. keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -ms.date: 08/24/2017 +ms.date: 09/28/2021 ms.reviewer: -manager: laurawi +manager: dougeby ms.audience: itpro author: greg-lindsay audience: itpro @@ -17,51 +17,51 @@ ms.collection: M365-modern-desktop ms.topic: article --- -# Windows 10 Enterprise E3 in CSP +# Windows 10/11 Enterprise E3 in CSP -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: +Applies to: +- Windows 10 +- Windows 11 -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. + +Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: + +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. - Azure Active Directory (Azure AD) available for identity management -Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. +You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before — with no keys, and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. -Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. +Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features. -When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: - -- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). - -- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. +When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits: +- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. - **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. - -- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). - -- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. - +- **Roll back to Windows 10/11 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). +- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. - **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. -How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? +How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? - [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. - - [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. - In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. + In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. -In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. +In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11. ## Compare Windows 10 Pro and Enterprise editions +> [!NOTE] +> The following table only lists Windows 10. More information will be available about differences between Windows 11 editions after Windows 11 is generally available. + Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. *Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* @@ -140,19 +140,19 @@ Windows 10 Enterprise edition has a number of features that are unavailable in -## Deployment of Windows 10 Enterprise E3 licenses +## Deployment of Windows 10/11 Enterprise E3 licenses See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). -## Deploy Windows 10 Enterprise features +## Deploy Windows 10/11 Enterprise features -Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? +Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? -The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. +The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features. ### Credential Guard\* -You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: +You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: - **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. @@ -174,7 +174,7 @@ For more information about implementing Credential Guard, see the following reso ### Device Guard -Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: +Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: 1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. @@ -197,7 +197,7 @@ For more information about implementing Device Guard, see: ### AppLocker management -You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. +You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10/11 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide). @@ -209,7 +209,7 @@ App-V requires an App-V server infrastructure to support App-V clients. The prim - **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: @@ -253,7 +253,7 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f ## Related topics -[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) -
[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan) -
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) -
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) \ No newline at end of file +[Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 16e8c70c2a..4d6d62258a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,6 +1,6 @@ --- -title: Windows 10 Subscription Activation -description: In this article, you will learn how to dynamically enable Windows 10 Enterprise or Education subscriptions. +title: Windows 10/11 Subscription Activation +description: In this article, you will learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions. keywords: upgrade, update, task sequence, deploy ms.custom: seo-marvel-apr2020 ms.prod: w10 @@ -10,52 +10,60 @@ ms.sitesec: library ms.pagetype: mdt audience: itpro author: greg-lindsay -manager: laurawi +manager: dougeby ms.collection: M365-modern-desktop search.appverid: - MET150 ms.topic: article --- -# Windows 10 Subscription Activation +# Windows 10/11 Subscription Activation -Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. +Applies to: +- Windows 10 +- Windows 11 -With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**. +Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. -The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. +With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. -## Subscription Activation for Windows 10 Enterprise +The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. -With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.yml) in your organization can now be accomplished with no keys and no reboots. +See the following topics: + +- [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise. +- [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education. +- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. +- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. +- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model. +- [Benefits](#benefits): Advantages of subscription-based licensing. +- [How it works](#how-it-works): A summary of the subscription-based licensing option. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows 10 Subscription Activation for VMs in the cloud. + +For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). + +## Subscription Activation for Windows 10/11 Enterprise + +With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. If you are running Windows 10, version 1703 or later: - -- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. -- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. +- Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. +- Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). -## Subscription Activation for Windows 10 Education +> [!NOTE] +> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. You cannot use Subscription Activation to upgrade from Windows 10 to Windows 11. -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. +## Subscription Activation for Education -## Summary - -- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. -- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. -- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing. -- [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. - -For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. ## Inherited Activation -Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. +Inherited Activation is a new feature available in Windows 10, version 1803 or later (Windows 11 is considered "later" here) that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. -When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. +When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V. @@ -63,43 +71,35 @@ To support Inherited Activation, both the host computer and the VM must be runni > The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus). -The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. - -![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png) +The following list illustrates how deploying Windows client has evolved with each release: - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
- - **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
- - **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
- - **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
- - **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
- - **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
- - **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
- - **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. +- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation does not update a device from Windows 10 to Windows 11. Only the edition is updated. ## Requirements -### Windows 10 Enterprise requirements +### Windows 10/11 Enterprise requirements > [!NOTE] -> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). +> The following requirements do not apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). -> [!NOTE] +> [!IMPORTANT] > Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants. For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. +- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. Windows 11 is considered a "later" version in this context. - Azure Active Directory (Azure AD) available for identity management. - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. -For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). +For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) @@ -123,14 +123,11 @@ If the device is running Windows 10, version 1809 or later: ![Subscription Activation with MFA example 3.](images/sa-mfa3.png) -### Windows 10 Education requirements +### Windows 10/11 Education requirements - Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. - - A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. - - The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. - - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. > [!IMPORTANT] @@ -139,7 +136,7 @@ If the device is running Windows 10, version 1809 or later: ## Benefits -With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: +With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: - [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare) - [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing) @@ -158,6 +155,9 @@ You can benefit by moving to Windows as an online service in the following ways: ## How it works +> [!NOTE] +> The following Windows 10 examples and scenarios also apply to Windows 11. + The device is AAD joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. @@ -214,8 +214,8 @@ If you’re running Windows 7, it can be more work.  A wipe-and-load approach w The following policies apply to acquisition and renewal of licenses on devices: - Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. -- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education. +- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. +- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. - If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. @@ -224,7 +224,7 @@ When you have the required Azure AD subscription, group-based licensing is the p ### Existing Enterprise deployments -If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. +If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. > [!CAUTION] > Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience). @@ -273,7 +273,7 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). +Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 70e61e303f..d150e02df0 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -1,9 +1,470 @@ -- name: Security + +- name: Windows security href: index.yml +- name: Zero Trust and Windows + href: zero-trust-windows-device-health.md + expanded: true +- name: Hardware security items: - - name: Identity and access management - href: identity-protection/index.md - - name: Information protection - href: information-protection/index.md - - name: Threat protection - href: threat-protection/index.md + - name: Overview + href: hardware.md + - name: Trusted Platform Module + href: information-protection/tpm/trusted-platform-module-top-node.md + items: + - name: Trusted Platform Module Overview + href: information-protection/tpm/trusted-platform-module-overview.md + - name: TPM fundamentals + href: information-protection/tpm/tpm-fundamentals.md + - name: How Windows uses the TPM + href: information-protection/tpm/how-windows-uses-the-tpm.md + - name: TPM Group Policy settings + href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md + - name: Back up the TPM recovery information to AD DS + href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md + - name: View status, clear, or troubleshoot the TPM + href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md + - name: Understanding PCR banks on TPM 2.0 devices + href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md + - name: TPM recommendations + href: information-protection/tpm/tpm-recommendations.md + - name: Hardware-based root of trust + href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md + - name: System Guard Secure Launch and SMM protection + href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md + - name: Enable virtualization-based protection of code integrity + href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md + - name: Kernel DMA Protection + href: information-protection/kernel-dma-protection-for-thunderbolt.md + - name: Windows secured-core devices + href: /windows-hardware/design/device-experiences/oem-highly-secure +- name: Operating system security + items: + - name: Overview + href: operating-system.md + - name: System security + items: + - name: Secure the Windows boot process + href: information-protection/secure-the-windows-10-boot-process.md + - name: Trusted Boot + href: trusted-boot.md + - name: Cryptography and certificate management + href: cryptography-certificate-mgmt.md + - name: The Windows Security app + href: threat-protection/windows-defender-security-center/windows-defender-security-center.md + items: + - name: Virus & threat protection + href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md + - name: Account protection + href: threat-protection\windows-defender-security-center\wdsc-account-protection.md + - name: Firewall & network protection + href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md + - name: App & browser control + href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md + - name: Device security + href: threat-protection\windows-defender-security-center\wdsc-device-security.md + - name: Device performance & health + href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md + - name: Family options + href: threat-protection\windows-defender-security-center\wdsc-family-options.md + - name: Security policy settings + href: threat-protection/security-policy-settings/security-policy-settings.md + - name: Security auditing + href: threat-protection/auditing/security-auditing-overview.md + - name: Encryption and data protection + href: encryption-data-protection.md + items: + - name: Encrypted Hard Drive + href: information-protection/encrypted-hard-drive.md + - name: BitLocker + href: information-protection/bitlocker/bitlocker-overview.md + items: + - name: Overview of BitLocker Device Encryption in Windows + href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md + - name: BitLocker frequently asked questions (FAQ) + href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml + items: + - name: Overview and requirements + href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml + - name: Upgrading + href: information-protection/bitlocker/bitlocker-upgrading-faq.yml + - name: Deployment and administration + href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml + - name: Key management + href: information-protection/bitlocker/bitlocker-key-management-faq.yml + - name: BitLocker To Go + href: information-protection/bitlocker/bitlocker-to-go-faq.yml + - name: Active Directory Domain Services + href: information-protection/bitlocker/bitlocker-and-adds-faq.yml + - name: Security + href: information-protection/bitlocker/bitlocker-security-faq.yml + - name: BitLocker Network Unlock + href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml + - name: General + href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml + - name: "Prepare your organization for BitLocker: Planning and policies" + href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: information-protection/bitlocker/bitlocker-deployment-comparison.md + - name: BitLocker basic deployment + href: information-protection/bitlocker/bitlocker-basic-deployment.md + - name: Deploy BitLocker on Windows Server 2012 and later + href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md + - name: BitLocker management for enterprises + href: information-protection/bitlocker/bitlocker-management-for-enterprises.md + - name: Enable Network Unlock with BitLocker + href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md + - name: Use BitLocker Drive Encryption Tools to manage BitLocker + href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md + - name: Use BitLocker Recovery Password Viewer + href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md + - name: BitLocker Group Policy settings + href: information-protection/bitlocker/bitlocker-group-policy-settings.md + - name: BCD settings and BitLocker + href: information-protection/bitlocker/bcd-settings-and-bitlocker.md + - name: BitLocker Recovery Guide + href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md + - name: BitLocker Countermeasures + href: information-protection/bitlocker/bitlocker-countermeasures.md + - name: Protecting cluster shared volumes and storage area networks with BitLocker + href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md + - name: Troubleshoot BitLocker + items: + - name: Troubleshoot BitLocker + href: information-protection/bitlocker/troubleshoot-bitlocker.md + - name: "BitLocker cannot encrypt a drive: known issues" + href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md + - name: "Enforcing BitLocker policies by using Intune: known issues" + href: information-protection/bitlocker/ts-bitlocker-intune-issues.md + - name: "BitLocker Network Unlock: known issues" + href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md + - name: "BitLocker recovery: known issues" + href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md + - name: "BitLocker configuration: known issues" + href: information-protection/bitlocker/ts-bitlocker-config-issues.md + - name: Troubleshoot BitLocker and TPM issues + items: + - name: "BitLocker cannot encrypt a drive: known TPM issues" + href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md + - name: "BitLocker and TPM: other known issues" + href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md + - name: Decode Measured Boot logs to track PCR changes + href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md + - name: Configure S/MIME for Windows + href: identity-protection/configure-s-mime.md + - name: Network security + items: + - name: VPN technical guide + href: identity-protection/vpn/vpn-guide.md + items: + - name: VPN connection types + href: identity-protection/vpn/vpn-connection-type.md + - name: VPN routing decisions + href: identity-protection/vpn/vpn-routing.md + - name: VPN authentication options + href: identity-protection/vpn/vpn-authentication.md + - name: VPN and conditional access + href: identity-protection/vpn/vpn-conditional-access.md + - name: VPN name resolution + href: identity-protection/vpn/vpn-name-resolution.md + - name: VPN auto-triggered profile options + href: identity-protection/vpn/vpn-auto-trigger-profile.md + - name: VPN security features + href: identity-protection/vpn/vpn-security-features.md + - name: VPN profile options + href: identity-protection/vpn/vpn-profile-options.md + - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections + href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md + - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections + href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md + - name: Optimizing Office 365 traffic with the Windows VPN client + href: identity-protection/vpn/vpn-office-365-optimization.md + - name: Windows Defender Firewall + href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - name: Windows security baselines + href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + items: + - name: Security Compliance Toolkit + href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md + - name: Get support + href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md + - name: Virus & threat protection + items: + - name: Overview + href: threat-protection/index.md + - name: Microsoft Defender Antivirus + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + - name: Attack surface reduction rules + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction + - name: Tamper protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + - name: Network protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection + - name: Controlled folder access + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders + - name: Exploit protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection + - name: Microsoft Defender for Endpoint + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + - name: Security intelligence + href: threat-protection/intelligence/index.md + items: + - name: Understand malware & other threats + href: threat-protection/intelligence/understanding-malware.md + items: + - name: Prevent malware infection + href: threat-protection/intelligence/prevent-malware-infection.md + - name: Malware names + href: threat-protection/intelligence/malware-naming.md + - name: Coin miners + href: threat-protection/intelligence/coinminer-malware.md + - name: Exploits and exploit kits + href: threat-protection/intelligence/exploits-malware.md + - name: Fileless threats + href: threat-protection/intelligence/fileless-threats.md + - name: Macro malware + href: threat-protection/intelligence/macro-malware.md + - name: Phishing + href: threat-protection/intelligence/phishing.md + - name: Ransomware + href: /security/compass/human-operated-ransomware + - name: Rootkits + href: threat-protection/intelligence/rootkits-malware.md + - name: Supply chain attacks + href: threat-protection/intelligence/supply-chain-malware.md + - name: Tech support scams + href: threat-protection/intelligence/support-scams.md + - name: Trojans + href: threat-protection/intelligence/trojans-malware.md + - name: Unwanted software + href: threat-protection/intelligence/unwanted-software.md + - name: Worms + href: threat-protection/intelligence/worms-malware.md + - name: How Microsoft identifies malware and PUA + href: threat-protection/intelligence/criteria.md + - name: Submit files for analysis + href: threat-protection/intelligence/submission-guide.md + - name: Safety Scanner download + href: threat-protection/intelligence/safety-scanner-download.md + - name: Industry collaboration programs + href: threat-protection/intelligence/cybersecurity-industry-partners.md + items: + - name: Virus information alliance + href: threat-protection/intelligence/virus-information-alliance-criteria.md + - name: Microsoft virus initiative + href: threat-protection/intelligence/virus-initiative-criteria.md + - name: Coordinated malware eradication + href: threat-protection/intelligence/coordinated-malware-eradication.md + - name: Information for developers + items: + - name: Software developer FAQ + href: threat-protection/intelligence/developer-faq.yml + - name: Software developer resources + href: threat-protection/intelligence/developer-resources.md + - name: More Windows security + items: + - name: Override Process Mitigation Options to help enforce app-related security policies + href: threat-protection/override-mitigation-options-for-app-related-security-policies.md + - name: Use Windows Event Forwarding to help with intrusion detection + href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md + - name: Block untrusted fonts in an enterprise + href: threat-protection/block-untrusted-fonts-in-enterprise.md + - name: Windows Information Protection (WIP) + href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md + items: + - name: Create a WIP policy using Microsoft Intune + href: information-protection/windows-information-protection/overview-create-wip-policy.md + items: + - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md + items: + - name: Deploy your WIP policy using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md + - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Create a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md + items: + - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Mandatory tasks and settings required to turn on WIP + href: information-protection/windows-information-protection/mandatory-settings-for-wip.md + - name: Testing scenarios for WIP + href: information-protection/windows-information-protection/testing-scenarios-for-wip.md + - name: Limitations while using WIP + href: information-protection/windows-information-protection/limitations-with-wip.md + - name: How to collect WIP audit event logs + href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md + - name: General guidance and best practices for WIP + href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md + items: + - name: Enlightened apps for use with WIP + href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md + - name: Unenlightened and enlightened app behavior while using WIP + href: information-protection/windows-information-protection/app-behavior-with-wip.md + - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP + href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md + - name: Using Outlook Web Access with WIP + href: information-protection/windows-information-protection/using-owa-with-wip.md + - name: Fine-tune WIP Learning + href: information-protection/windows-information-protection/wip-learning.md +- name: Application security + items: + - name: Overview + href: apps.md + - name: Windows Defender Application Control and virtualization-based protection of code integrity + href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - name: Windows Defender Application Control + href: threat-protection\windows-defender-application-control\windows-defender-application-control.md + - name: Microsoft Defender Application Guard + href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md + - name: Windows Sandbox + href: threat-protection/windows-sandbox/windows-sandbox-overview.md + items: + - name: Windows Sandbox architecture + href: threat-protection/windows-sandbox/windows-sandbox-architecture.md + - name: Windows Sandbox configuration + href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md + - name: Microsoft Defender SmartScreen overview + href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + - name: Configure S/MIME for Windows + href: identity-protection\configure-s-mime.md + - name: Windows Credential Theft Mitigation Guide Abstract + href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md +- name: User security and secured identity + items: + - name: Overview + href: identity.md + - name: Windows Hello for Business + href: identity-protection/hello-for-business/index.yml + - name: Windows credential theft mitigation guide + href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - name: Enterprise Certificate Pinning + href: identity-protection/enterprise-certificate-pinning.md + - name: Protect derived domain credentials with Credential Guard + href: identity-protection/credential-guard/credential-guard.md + items: + - name: How Credential Guard works + href: identity-protection/credential-guard/credential-guard-how-it-works.md + - name: Credential Guard Requirements + href: identity-protection/credential-guard/credential-guard-requirements.md + - name: Manage Credential Guard + href: identity-protection/credential-guard/credential-guard-manage.md + - name: Hardware readiness tool + href: identity-protection/credential-guard/dg-readiness-tool.md + - name: Credential Guard protection limits + href: identity-protection/credential-guard/credential-guard-protection-limits.md + - name: Considerations when using Credential Guard + href: identity-protection/credential-guard/credential-guard-considerations.md + - name: "Credential Guard: Additional mitigations" + href: identity-protection/credential-guard/additional-mitigations.md + - name: "Credential Guard: Known issues" + href: identity-protection/credential-guard/credential-guard-known-issues.md + - name: Protect Remote Desktop credentials with Remote Credential Guard + href: identity-protection/remote-credential-guard.md + - name: Technical support policy for lost or forgotten passwords + href: identity-protection/password-support-policy.md + - name: Access Control Overview + href: identity-protection/access-control/access-control.md + items: + - name: Dynamic Access Control Overview + href: identity-protection/access-control/dynamic-access-control.md + - name: Security identifiers + href: identity-protection/access-control/security-identifiers.md + - name: Security Principals + href: identity-protection/access-control/security-principals.md + - name: Local Accounts + href: identity-protection/access-control/local-accounts.md + - name: Active Directory Accounts + href: identity-protection/access-control/active-directory-accounts.md + - name: Microsoft Accounts + href: identity-protection/access-control/microsoft-accounts.md + - name: Service Accounts + href: identity-protection/access-control/service-accounts.md + - name: Active Directory Security Groups + href: identity-protection/access-control/active-directory-security-groups.md + - name: Special Identities + href: identity-protection/access-control/special-identities.md + - name: User Account Control + href: identity-protection/user-account-control/user-account-control-overview.md + items: + - name: How User Account Control works + href: identity-protection/user-account-control/how-user-account-control-works.md + - name: User Account Control security policy settings + href: identity-protection/user-account-control/user-account-control-security-policy-settings.md + - name: User Account Control Group Policy and registry key settings + href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md + - name: Smart Cards + href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md + items: + - name: How Smart Card Sign-in Works in Windows + href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md + items: + - name: Smart Card Architecture + href: identity-protection/smart-cards/smart-card-architecture.md + - name: Certificate Requirements and Enumeration + href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md + - name: Smart Card and Remote Desktop Services + href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md + - name: Smart Cards for Windows Service + href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md + - name: Certificate Propagation Service + href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md + - name: Smart Card Removal Policy Service + href: identity-protection/smart-cards/smart-card-removal-policy-service.md + - name: Smart Card Tools and Settings + href: identity-protection/smart-cards/smart-card-tools-and-settings.md + items: + - name: Smart Cards Debugging Information + href: identity-protection/smart-cards/smart-card-debugging-information.md + - name: Smart Card Group Policy and Registry Settings + href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md + - name: Smart Card Events + href: identity-protection/smart-cards/smart-card-events.md + - name: Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md + items: + - name: Understanding and Evaluating Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md + items: + - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" + href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md + - name: Use Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md + - name: Deploy Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md + - name: Evaluate Virtual Smart Card Security + href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md + - name: Tpmvscmgr + href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +- name: Cloud services + items: + - name: Overview + href: cloud.md + - name: Mobile device management + href: https://docs.microsoft.com/windows/client-management/mdm/ + - name: Windows 365 Cloud PCs + href: /windows-365/overview + - name: Azure Virtual Desktop + href: /azure/virtual-desktop/ +- name: Security foundations + items: + - name: Overview + href: security-foundations.md + - name: Microsoft Security Development Lifecycle + href: threat-protection/msft-security-dev-lifecycle.md + - name: Microsoft Bug Bounty Program + href: threat-protection/microsoft-bug-bounty-program.md + - name: FIPS 140-2 Validation + href: threat-protection/fips-140-validation.md + - name: Common Criteria Certifications + href: threat-protection/windows-platform-common-criteria.md +- name: Windows Privacy + href: /windows/privacy/windows-10-and-privacy-compliance diff --git a/windows/security/apps.md b/windows/security/apps.md new file mode 100644 index 0000000000..e376d06d98 --- /dev/null +++ b/windows/security/apps.md @@ -0,0 +1,28 @@ +--- +title: Windows application security +description: Get an overview of application security in Windows 10 and Windows 11 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows application security + +Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security. + +The following table summarizes the Windows security features and capabilities for apps:

+ +| Security Measures | Features & Capabilities | +|:---|:---| +| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](threat-protection/windows-defender-application-control/windows-defender-application-control.md) | +| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | +| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](threat-protection\windows-sandbox\windows-sandbox-overview.md) +| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) | +| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | diff --git a/windows/security/cloud.md b/windows/security/cloud.md new file mode 100644 index 0000000000..7bccc2aa84 --- /dev/null +++ b/windows/security/cloud.md @@ -0,0 +1,39 @@ +--- +title: Windows and cloud security +description: Get an overview of cloud services supported in Windows 11 and Windows 10 +ms.reviewer: +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/20/2021 +ms.localizationpriority: medium +ms.custom: +f1.keywords: NOCSH +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +search.appverid: MET150 +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows and cloud security + +Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats. + +Windows 11 includes the cloud services that are listed in the following table:

+ +| Service type | Description | +|:---|:---| +| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [Mobile device management](/windows/client-management/mdm/). | +| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| +| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | +| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | + +## Next steps + +- [Learn more about MDM and Windows 11](/windows/client-management/mdm/) +- [Learn more about Windows security](index.yml) \ No newline at end of file diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md new file mode 100644 index 0000000000..7c781c1bdf --- /dev/null +++ b/windows/security/cryptography-certificate-mgmt.md @@ -0,0 +1,43 @@ +--- +title: Cryptography and Certificate Management +description: Get an overview of cryptography and certificate management in Windows +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/07/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: skhadeer, raverma +f1.keywords: NOCSH +--- + +# Cryptography and Certificate Management + + +## Cryptography + +Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets. + +Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources. + +Windows cryptographic modules provide low-level primitives such as: + +- Random number generators (RNG) +- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521) +- Hashing (support for SHA-256, SHA-384, and SHA-512) +- Signing and verification (padding support for OAEP, PSS, PKCS1) +- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF) + +These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). + +## Certificate management + +Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately. + +Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer. diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 3a997cd1e9..d1a625e8bd 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -48,7 +48,7 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Microsoft 365 Security", + "titleSuffix": "Windows security", "contributors_to_exclude": [ "rjagiewich", "traya1", diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md new file mode 100644 index 0000000000..359afde71f --- /dev/null +++ b/windows/security/encryption-data-protection.md @@ -0,0 +1,54 @@ +--- +title: Encryption and data protection in Windows +description: Get an overview encryption and data protection in Windows 11 and Windows 10 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/08/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: deepakm, rafals +f1.keywords: NOCSH +--- + +# Encryption and data protection in Windows client + +When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. +Encryption and data protection features include: + +- Encrypted Hard Drive +- BitLocker + +## Encrypted Hard Drive + +Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management. +By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. + +Encrypted hard drives provide: + +- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. +- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system. +- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. +- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. + +Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. + +## BitLocker + +BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. + +BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. + +Windows consistently improves data protection by improving existing options and providing new strategies. + + +## See also + +- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md) +- [BitLocker](information-protection/bitlocker/bitlocker-overview.md) diff --git a/windows/security/hardware.md b/windows/security/hardware.md new file mode 100644 index 0000000000..435dd886c2 --- /dev/null +++ b/windows/security/hardware.md @@ -0,0 +1,27 @@ +--- +title: Windows hardware security +description: Get an overview of hardware security in Windows 11 and Windows 10 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows hardware security + +Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data, and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. +These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.

+ +| Security Measures | Features & Capabilities | +|:---|:---| +| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.

Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). | +| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.

Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | +| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). +| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.

Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | +| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| diff --git a/windows/security/identity-protection/TOC.yml b/windows/security/identity-protection/TOC.yml deleted file mode 100644 index 5e4680879e..0000000000 --- a/windows/security/identity-protection/TOC.yml +++ /dev/null @@ -1,132 +0,0 @@ -- name: Identity and access management - href: index.md - items: - - name: Technical support policy for lost or forgotten passwords - href: password-support-policy.md - - name: Access Control Overview - href: access-control/access-control.md - items: - - name: Dynamic Access Control Overview - href: access-control/dynamic-access-control.md - - name: Security identifiers - href: access-control/security-identifiers.md - - name: Security Principals - href: access-control/security-principals.md - - name: Local Accounts - href: access-control/local-accounts.md - - name: Active Directory Accounts - href: access-control/active-directory-accounts.md - - name: Microsoft Accounts - href: access-control/microsoft-accounts.md - - name: Service Accounts - href: access-control/service-accounts.md - - name: Active Directory Security Groups - href: access-control/active-directory-security-groups.md - - name: Special Identities - href: access-control/special-identities.md - - name: User Account Control - href: user-account-control\user-account-control-overview.md - items: - - name: How User Account Control works - href: user-account-control\how-user-account-control-works.md - - name: User Account Control security policy settings - href: user-account-control\user-account-control-security-policy-settings.md - - name: User Account Control Group Policy and registry key settings - href: user-account-control\user-account-control-group-policy-and-registry-key-settings.md - - name: Windows Hello for Business - href: hello-for-business/index.yml - - name: Protect derived domain credentials with Credential Guard - href: credential-guard/credential-guard.md - items: - - name: How Credential Guard works - href: credential-guard/credential-guard-how-it-works.md - - name: Credential Guard Requirements - href: credential-guard/credential-guard-requirements.md - - name: Manage Credential Guard - href: credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: credential-guard/dg-readiness-tool.md - - name: Credential Guard protection limits - href: credential-guard/credential-guard-protection-limits.md - - name: Considerations when using Credential Guard - href: credential-guard/credential-guard-considerations.md - - name: "Credential Guard: Additional mitigations" - href: credential-guard/additional-mitigations.md - - name: "Credential Guard: Known issues" - href: credential-guard/credential-guard-known-issues.md - - name: Protect Remote Desktop credentials with Remote Credential Guard - href: remote-credential-guard.md - - name: Smart Cards - href: smart-cards/smart-card-windows-smart-card-technical-reference.md - items: - - name: How Smart Card Sign-in Works in Windows - href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md - items: - - name: Smart Card Architecture - href: smart-cards/smart-card-architecture.md - - name: Certificate Requirements and Enumeration - href: smart-cards/smart-card-certificate-requirements-and-enumeration.md - - name: Smart Card and Remote Desktop Services - href: smart-cards/smart-card-and-remote-desktop-services.md - - name: Smart Cards for Windows Service - href: smart-cards/smart-card-smart-cards-for-windows-service.md - - name: Certificate Propagation Service - href: smart-cards/smart-card-certificate-propagation-service.md - - name: Smart Card Removal Policy Service - href: smart-cards/smart-card-removal-policy-service.md - - name: Smart Card Tools and Settings - href: smart-cards/smart-card-tools-and-settings.md - items: - - name: Smart Cards Debugging Information - href: smart-cards/smart-card-debugging-information.md - - name: Smart Card Group Policy and Registry Settings - href: smart-cards/smart-card-group-policy-and-registry-settings.md - - name: Smart Card Events - href: smart-cards/smart-card-events.md - - name: Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-overview.md - items: - - name: Understanding and Evaluating Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md - items: - - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" - href: virtual-smart-cards\virtual-smart-card-get-started.md - - name: Use Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md - - name: Deploy Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md - - name: Evaluate Virtual Smart Card Security - href: virtual-smart-cards\virtual-smart-card-evaluate-security.md - - name: Tpmvscmgr - href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md - - name: Enterprise Certificate Pinning - href: enterprise-certificate-pinning.md - - name: Windows 10 credential theft mitigation guide abstract - href: windows-credential-theft-mitigation-guide-abstract.md - - name: Configure S/MIME for Windows 10 - href: configure-s-mime.md - - name: VPN technical guide - href: vpn\vpn-guide.md - items: - - name: VPN connection types - href: vpn\vpn-connection-type.md - - name: VPN routing decisions - href: vpn\vpn-routing.md - - name: VPN authentication options - href: vpn\vpn-authentication.md - - name: VPN and conditional access - href: vpn\vpn-conditional-access.md - - name: VPN name resolution - href: vpn\vpn-name-resolution.md - - name: VPN auto-triggered profile options - href: vpn\vpn-auto-trigger-profile.md - - name: VPN security features - href: vpn\vpn-security-features.md - - name: VPN profile options - href: vpn\vpn-profile-options.md - - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections - href: vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md - - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections - href: vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md - - name: Optimizing Office 365 traffic with the Windows 10 VPN client - href: vpn\vpn-office-365-optimization.md diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md deleted file mode 100644 index 9cd9f0847d..0000000000 --- a/windows/security/identity-protection/change-history-for-access-protection.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Change history for access protection (Windows 10) -description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 08/11/2017 -ms.reviewer: ---- - -# Change history for access protection -This topic lists new and updated topics in the [Access protection](index.md) documentation. - -## August 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.| - -## June 2017 -|New or changed topic |Description | -|---------------------|------------| -|[How hardware-based containers help protect Windows 10](/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows) | New | - - -## March 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| \ No newline at end of file diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 9423de2923..2f95950f32 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -1,5 +1,5 @@ --- -title: Configure S/MIME for Windows 10 +title: Configure S/MIME for Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 ms.reviewer: @@ -19,16 +19,17 @@ ms.date: 07/27/2017 --- -# Configure S/MIME for Windows 10 +# Configure S/MIME for Windows **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. +S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. ## About message encryption -Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. +Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email. @@ -48,7 +49,7 @@ A digitally signed message reassures the recipient that the message hasn't been On the device, perform the following steps: (add select certificate) -1. Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.) +1. Open the Mail app. 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index d2bee6b47c..735e563fb8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -219,4 +219,5 @@ sections: - question: Does Windows Hello for Business work with Mac and Linux clients? answer: | - Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). \ No newline at end of file + Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms. + \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ccb1a890ff..fba0adf89f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -80,7 +80,9 @@ To include the on-premises distinguished name in the certificate's subject, Azur Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. 1. Open **Synchronization Services** from the **Azure AD Connect** folder. + 2. In the **Synchronization Service Manager**, click **Help** and then click **About**. + 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version. ### Verify the onPremisesDistinguishedName attribute is synchronized @@ -88,9 +90,13 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer. 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ + 2. Click **Login** and provide Azure credentials + 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** + 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. + ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) ## Prepare the Network Device Enrollment Services (NDES) Service Account @@ -102,9 +108,13 @@ The deployment uses the **NDES Servers** security group to assign the NDES servi Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. + 2. Expand the domain node from the navigation pane. + 3. Right-click the **Users** container. Hover over **New** and click **Group**. + 4. Type **NDES Servers** in the **Group Name** text box. + 5. Click **OK**. ### Add the NDES server to the NDES Servers global security group @@ -112,8 +122,11 @@ Sign-in to a domain controller or management workstation with access equivalent Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. + 2. Expand the domain node from the navigation pane. -3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. + +3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group**. + 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] @@ -126,8 +139,11 @@ The Network Device Enrollment Services (NDES) role runs under a service account. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. In the navigation pane, expand the node that has your domain name. Select **Users**. + 2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**. + 3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**. + 4. Click **Finish**. > [!IMPORTANT] @@ -140,15 +156,25 @@ The Group Policy object ensures the NDES Service account has the proper user rig Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + 3. Right-click **Group Policy object** and select **New**. + 4. Type **NDES Service Rights** in the name box and click **OK**. + 5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**. + 6. In the navigation pane, expand **Policies** under **Computer Configuration**. + 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**. + 8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. + 9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. + 10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. + 11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object @@ -158,10 +184,15 @@ The best way to deploy the **NDES Service User Rights** Group Policy object is t Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + 3. Double-click the **NDES Service User Rights** Group Policy object. + 4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**. + 5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. + 6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. ### Deploy the NDES Service User Rights Group Policy object @@ -171,7 +202,9 @@ The application of the **NDES Service User Rights** Group Policy object uses sec Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** + 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**. > [!IMPORTANT] @@ -197,7 +230,7 @@ Sign-in to the issuing certificate authority with access equivalent to _local ad 1. Open an elevated command prompt and type the following command: - ``` + ```console certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` @@ -210,18 +243,26 @@ NDES uses a server authentication certificate to authenticate the server endpoin Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**. + 4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. 5. On the **Subject** tab, select **Supply in the request**. + 6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. + 7. On the **Security** tab, click **Add**. + 8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. + 9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. + 10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template @@ -231,20 +272,30 @@ During Windows Hello for Business provisioning, Windows requests an authenticat Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. + 5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. + 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. + 8. On the **Subject** tab, select **Supply in the request**. + 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. + 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. + 11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. + 12. Close the console. ### Publish certificate templates @@ -257,10 +308,15 @@ The certificate authority may only issue certificates for certificate templates Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. + 5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. + 6. Close the console. ## Install and Configure the NDES Role @@ -282,18 +338,31 @@ Install the Network Device Enrollment Service role on a computer other than the Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open **Server Manager** on the NDES server. + 2. Click **Manage**. Click **Add Roles and Features**. + 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. + ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png) + 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. + ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png) + Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png) + + ![Server Manager Add Features.](images/aadjcert/servermanager-adcs-add-features.png) + 5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. + ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png) + 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**. + ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png) + 7. Click **Next** on the **Web Server Role (IIS)** page. + 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. - **Web Server > Security > Request Filtering** @@ -303,10 +372,13 @@ Sign-in to the certificate authority or management workstations with an _Enterpr - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png) + 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. + > [!IMPORTANT] > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ - ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png) + + ![.NET Side by Side.](images/aadjcert/dotnet35sidebyside.png) ### Configure the NDES service account @@ -317,8 +389,11 @@ This task adds the NDES service account to the local IIS_USRS group. The task a Sign-in the NDES server with access equivalent to _local administrator_. 1. Start the **Local Users and Groups** management console (`lusrmgr.msc`). + 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group. + 3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box. + 4. Close the management console. #### Register a Service Principal Name on the NDES Service account @@ -326,13 +401,16 @@ Sign-in the NDES server with access equivalent to _local administrator_. Sign-in the NDES server with access equivalent to _Domain Admins_. 1. Open an elevated command prompt. + 2. Type the following command to register the service principal name - ``` + ```console setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] ``` + where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following: - ``` + + ```console setspn -s http/ndes.corp.contoso.com contoso\ndessvc ``` @@ -348,17 +426,29 @@ The NDES service enrolls certificates on behalf of users. Therefore, you want t Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** + 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. + ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png) + 3. Select **Trust this user for delegation to specified services only**. + 4. Select **Use any authentication protocol**. + 5. Click **Add**. + 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**. + ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) + 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. + 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. + 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. + ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png) + 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates @@ -375,18 +465,31 @@ Sign-in to the certificate authority or management workstations with an _Enterpr ![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) 1. Click the **Configure Active Directory Certificate Services on the destination server** link. + 2. On the **Credentials** page, click **Next**. + ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png) + 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** + ![NDES Role Services.](images/aadjcert/ndesconfig02.png) + 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. + ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png) + 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. + ![NDES CA selection.](images/aadjcert/ndesconfig04.png) + 6. On the **RA Information**, click **Next**. + 7. On the **Cryptography for NDES** page, click **Next**. + 8. Review the **Confirmation** page. Click **Configure**. + ![NDES Confirmation.](images/aadjcert/ndesconfig05.png) + 9. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES @@ -412,18 +515,23 @@ If the need arises, you can configure a signature certificate in the encryption Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. + 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. + 3. Type the following command: - ``` + ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] ``` + where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: - ``` + + ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication ``` 4. Type **Y** when the command asks for permission to overwrite the existing value. + 5. Close the command prompt. > [!IMPORTANT] @@ -444,21 +552,34 @@ Connector group automatically round-robin, load balance the Azure AD Application Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + 4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain. + ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) + 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. + > [!IMPORTANT] > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. + 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. + ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png) + 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. + ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png) + 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. + ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png) + 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group @@ -466,12 +587,19 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) + 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. + ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) + 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. + 6. Click **Save**. #### Create the Azure Application Proxy @@ -479,17 +607,29 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + 4. Click **Configure an app**. + 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. + 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. + 7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). + ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png) + 8. Select **Passthrough** from the **Pre Authentication** list. + 9. Select **NDES WHFB Connectors** from the **Connector Group** list. + 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. + 11. Click **Add**. + 12. Sign-out of the Azure Portal. > [!IMPORTANT] @@ -502,16 +642,27 @@ This task enrolls a client and server authentication certificate used by the Int Sign-in the NDES server with access equivalent to _local administrators_. 1. Start the Local Computer **Certificate Manager** (certlm.msc). + 2. Expand the **Personal** node in the navigation pane. + 3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. + 4. Click **Next** on the **Before You Begin** page. + 5. Click **Next** on the **Select Certificate Enrollment Policy** page. + 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. + 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) + 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. + 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. + 10. Click **Enroll** + 11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. ### Configure the Web Server Role @@ -521,15 +672,25 @@ This task configures the Web Server role on the NDES server to use the server au Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. + 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. + ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) -3. Click **Bindings...*** under **Actions**. Click **Add**. + +3. Click **Bindings...** under **Actions**. Click **Add**. + ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png) + 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. + 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. + ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png) + 6. Select **http** from the **Site Bindings** list. Click **Remove**. + 7. Click **Close** on the **Site Bindings** dialog box. + 8. Close **Internet Information Services (IIS) Manager**. ### Verify the configuration @@ -541,18 +702,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Disable Internet Explorer Enhanced Security Configuration 1. Open **Server Manager**. Click **Local Server** from the navigation pane. + 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. + 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. + 4. Close **Server Manager**. #### Test the NDES web server 1. Open **Internet Explorer**. + 2. In the navigation bar, type - ``` + ```https https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source. @@ -560,6 +726,7 @@ A web page similar to the following should appear in your web browser. If you d ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png) Confirm the web site uses the server authentication certificate. + ![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png) ## Configure Network Device Enrollment Services to work with Microsoft Intune @@ -575,23 +742,34 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Configure the Default Web Site 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. + 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. + 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. + ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png) + 4. Select **Allow unlisted file name extensions**. + 5. Select **Allow unlisted verbs**. + 6. Select **Allow high-bit characters**. + 7. Type **30000000** in **Maximum allowed content length (Bytes)**. + 8. Type **65534** in **Maximum URL length (Bytes)**. + 9. Type **65534** in **Maximum query string (Bytes)**. + 10. Click **OK**. Close **Internet Information Services (IIS) Manager**. #### Configure Parameters for HTTP.SYS 1. Open an elevated command prompt. + 2. Run the following commands: - ``` + ```console reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 ``` @@ -607,10 +785,15 @@ The Intune Certificate Connector application enables Microsoft Intune to enroll Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. + 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. + ![Intune Certificate Authority.](images/aadjcert/profile01.png) + 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. + 5. Sign-out of the Microsoft Endpoint Manager admin center. ### Install the Intune Certificate Connector @@ -618,27 +801,39 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. + 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. + 3. On the **Microsoft Intune** page, click **Next**. + ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) + 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. + 5. On the **Destination Folder** page, click **Next**. + 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. + ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) + 7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. + ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. + 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. + ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) > [!NOTE] > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. + ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector @@ -651,9 +846,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_. > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** + ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. + ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) > [!IMPORTANT] @@ -671,9 +868,13 @@ Optionally (not required), you can configure the Intune connector for certificat Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. 1. Start the **Certification Authority** management console. + 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. + 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. + ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) + 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation @@ -681,8 +882,11 @@ Sign-in the certificate authority used by the NDES Connector with access equival Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). + 2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. + ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) + 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector @@ -690,23 +894,28 @@ Sign-in the NDES server with access equivalent to _domain administrator_. Sign-in the NDES server with access equivalent to _domain admin_. 1. Open a command prompt. + 2. Type the following command to confirm the NDES Connector's last connection time is current. - ``` + ```console reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus ``` 3. Close the command prompt. + 4. Open **Internet Explorer**. + 5. In the navigation bar, type: - ``` + ```console https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. + ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) + 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile @@ -716,14 +925,23 @@ Sign-in the NDES server with access equivalent to _domain admin_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Click **Groups**. Click **New group**. + 4. Select **Security** from the **Group type** list. + 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. + 6. Provide a **Group description**, if applicable. + 7. Select **Assigned** from the **Membership type** list. + ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png) + 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. + 9. Click **Create**. ### Create a SCEP Certificate Profile @@ -731,20 +949,30 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Devices**, and then click **Configuration Profiles**. + 3. Select **Create Profile**. + ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png) + 4. Select **Windows 10 and later** from the **Platform** list. + 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**. + 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. + 7. Next to **Description**, provide a description meaningful for your environment, then select **Next**. + 8. Select **User** as a certificate type. + 9. Configure **Certificate validity period** to match your organization. > [!IMPORTANT] > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. + 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. > [!NOTE] @@ -752,13 +980,21 @@ Sign-in a workstation with access equivalent to a _domain user_. > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. + 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. + 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. + 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. + 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. + ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png) + 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. + 18. Click **Next**. + 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. ### Assign Group to the WHFB Certificate Enrollment Certificate Profile @@ -766,12 +1002,19 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Devices**, and then click **Configuration Profiles**. + 3. Click **WHFB Certificate Enrollment**. + 4. Select **Properties**, and then click **Edit** next to the **Assignments** section. + 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. + ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png) + 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. + 7. Click **Review + Save**, and then **Save**. You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources. diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index d5c9651f0f..70b89b04ee 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -1,5 +1,5 @@ --- -title: Smart Card and Remote Desktop Services (Windows 10) +title: Smart Card and Remote Desktop Services (Windows) description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card and Remote Desktop Services -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 63cbad9b26..604f470a49 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -1,5 +1,5 @@ --- -title: Smart Card Architecture (Windows 10) +title: Smart Card Architecture (Windows) description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Architecture -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index dbcf86ee67..32f79fdf8f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -1,5 +1,5 @@ --- -title: Certificate Propagation Service (Windows 10) +title: Certificate Propagation Service (Windows) description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 08/24/2021 ms.reviewer: --- # Certificate Propagation Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index a220e7e658..7e32d7679f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -1,5 +1,5 @@ --- -title: Certificate Requirements and Enumeration (Windows 10) +title: Certificate Requirements and Enumeration (Windows) description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Certificate Requirements and Enumeration -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. @@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system. The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider. -| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** | +| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** | |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL= | | Key usage | Digital signature | Digital signature | diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index a084d3c132..b65f0ce66c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -1,5 +1,5 @@ --- -title: Smart Card Troubleshooting (Windows 10) +title: Smart Card Troubleshooting (Windows) description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Troubleshooting -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index bb93b39cce..b8f7de6f81 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -1,5 +1,5 @@ --- -title: Smart Card Events (Windows 10) +title: Smart Card Events (Windows) description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Events -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index 50d2b45bb2..ad5011e9b9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -1,5 +1,5 @@ --- -title: Smart Card Group Policy and Registry Settings (Windows 10) +title: Smart Card Group Policy and Registry Settings (Windows) description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/23/2021 ms.reviewer: --- # Smart Card Group Policy and Registry Settings -Applies to: Windows 10, Windows Server 2016 +Applies to: Windows 10, Windows 11, Windows Server 2016 and above This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards. diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 9939c9ec73..05d1dbf771 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -1,5 +1,5 @@ --- -title: How Smart Card Sign-in Works in Windows (Windows 10) +title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # How Smart Card Sign-in Works in Windows -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use: diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 3f72307e25..c52deb3971 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -1,5 +1,5 @@ --- -title: Smart Card Removal Policy Service (Windows 10) +title: Smart Card Removal Policy Service (Windows) description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,17 +12,17 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Removal Policy Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. -The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). +The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). **Smart card removal policy service** diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index e4548fc317..ba3e2a4c05 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -1,5 +1,5 @@ --- -title: Smart Cards for Windows Service (Windows 10) +title: Smart Cards for Windows Service (Windows) description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Cards for Windows Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions. @@ -26,7 +26,7 @@ The Smart Cards for Windows service provides the basic infrastructure for all ot The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description: -``` +```PowerShell Never notify< Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on. -Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. +Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization. @@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl ### Installer detection technology -Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. +Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. Installer detection only applies to: diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index 6f65b3199e..a4ae0b4d3d 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -1,5 +1,5 @@ --- -title: User Account Control Group Policy and registry key settings (Windows 10) +title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. ms.prod: w10 ms.mktglfcycl: deploy @@ -21,7 +21,8 @@ ms.reviewer: **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index a95145abaa..263dd2fe27 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -1,5 +1,5 @@ --- -title: User Account Control (Windows 10) +title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 ms.reviewer: @@ -14,14 +14,15 @@ ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management ms.topic: article -ms.date: 07/27/2017 +ms.date: 09/24/2011 --- # User Account Control **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 793fe303aa..9a6cb42323 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -1,5 +1,5 @@ --- -title: User Account Control security policy settings (Windows 10) +title: User Account Control security policy settings (Windows) description: You can use security policies to configure how User Account Control works in your organization. ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 ms.reviewer: @@ -14,13 +14,16 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 --- # User Account Control security policy settings **Applies to** - Windows 10 +- Windows 11 +- Windows Server 2016 and above + You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 62a4cf6cf0..3a8d6e6ed0 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -1,6 +1,6 @@ --- -title: Windows 10 Credential Theft Mitigation Guide Abstract (Windows 10) -description: Provides a summary of the Windows 10 credential theft mitigation guide. +title: Windows Credential Theft Mitigation Guide Abstract +description: Provides a summary of the Windows credential theft mitigation guide. ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a ms.reviewer: ms.prod: w10 @@ -17,12 +17,12 @@ ms.localizationpriority: medium ms.date: 04/19/2017 --- -# Windows 10 Credential Theft Mitigation Guide Abstract +# Windows Credential Theft Mitigation Guide Abstract **Applies to** - Windows 10 -This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). +This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages: - Identify high-value assets diff --git a/windows/security/identity.md b/windows/security/identity.md new file mode 100644 index 0000000000..0cfa07beba --- /dev/null +++ b/windows/security/identity.md @@ -0,0 +1,27 @@ +--- +title: Windows identity and user security +description: Get an overview of identity security in Windows 11 and Windows 10 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows identity and user security + +Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations. + +| Security capabilities | Description | +|:---|:---| +| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | +| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| +| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | +| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| +| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| \ No newline at end of file diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png new file mode 100644 index 0000000000..e062b0d292 Binary files /dev/null and b/windows/security/images/windows-security-app-w11.png differ diff --git a/windows/security/index.yml b/windows/security/index.yml index 4a5558a16d..7a5576692b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,38 +1,170 @@ -### YamlMime:Hub +### YamlMime:Landing -title: Windows 10 Enterprise Security # < 60 chars -summary: Secure corporate data and manage risk. # < 160 chars -# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin -brand: windows +title: Windows security # < 60 chars +summary: Windows is a Zero Trust-ready operating system that provides security from chip to cloud. # < 160 chars metadata: - title: Windows 10 Enterprise Security # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about enterprise-grade security features for Windows 10. # Required; article description that is displayed in search results. < 160 chars. - services: windows + title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars. + ms.topic: landing-page # Required ms.prod: windows - ms.topic: hub-page # Required - ms.collection: M365-security-compliance # Optional; Remove if no collection is used. + ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 01/08/2018 #Required; mm/dd/yyyy format. - ms.localizationpriority: high + ms.date: 09/20/2021 + localization_priority: Priority + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Zero Trust and Windows + linkLists: + - linkListType: overview + links: + - text: Overview + url: zero-trust-windows-device-health.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Hardware security + linkLists: + - linkListType: overview + links: + - text: Overview + url: hardware.md + - linkListType: concept + links: + - text: Trusted Platform Module + url: information-protection/tpm/trusted-platform-module-top-node.md + - text: Windows Defender System Guard firmware protection + url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md + - text: System Guard Secure Launch and SMM protection enablement + url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md + - text: Virtualization-based protection of code integrity + url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md + - text: Kernel DMA Protection + url: information-protection/kernel-dma-protection-for-thunderbolt.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Operating system security + linkLists: + - linkListType: overview + links: + - text: Overview + url: operating-system.md + - linkListType: concept + links: + - text: System security + url: trusted-boot.md + - text: Encryption and data protection + url: encryption-data-protection.md + - text: Windows security baselines + url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + - text: Virtual private network guide + url: identity-protection/vpn/vpn-guide.md + - text: Windows Defender Firewall + url: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - text: Virus & threat protection + url: threat-protection/index.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Application security + linkLists: + - linkListType: overview + links: + - text: Overview + url: apps.md + - linkListType: concept + links: + - text: Application Control and virtualization-based protection + url: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - text: Application Control + url: threat-protection/windows-defender-application-control/windows-defender-application-control.md + - text: Application Guard + url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md + - text: Windows Sandbox + url: threat-protection/windows-sandbox/windows-sandbox-overview.md + - text: Microsoft Defender SmartScreen + url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + - text: S/MIME for Windows + url: identity-protection/configure-s-mime.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: User security and secured identity + linkLists: + - linkListType: overview + links: + - text: Overview + url: identity.md + - linkListType: concept + links: + - text: Windows Hello for Business + url: identity-protection/hello-for-business/hello-overview.md + - text: Windows Credential Theft Mitigation + url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - text: Protect domain credentials + url: identity-protection/credential-guard/credential-guard.md + - text: Windows Defender Credential Guard + url: identity-protection/credential-guard/credential-guard.md + - text: Lost or forgotten passwords + url: identity-protection/password-support-policy.md + - text: Access control + url: identity-protection/access-control/access-control.md + - text: Smart cards + url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Cloud services + linkLists: + - linkListType: overview + links: + - text: Overview + url: cloud.md + - linkListType: concept + links: + - text: Mobile device management + url: https://docs.microsoft.com/windows/client-management/mdm/ + - text: Azure Active Directory + url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory + - text: Your Microsoft Account + url: identity-protection/access-control/microsoft-accounts.md + - text: OneDrive + url: https://docs.microsoft.com/onedrive/onedrive + - text: Family safety + url: threat-protection/windows-defender-security-center/wdsc-family-options.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Security foundations + linkLists: + - linkListType: overview + links: + - text: Overview + url: security-foundations.md + - linkListType: reference + links: + - text: Microsoft Security Development Lifecycle + url: threat-protection/msft-security-dev-lifecycle.md + - text: Microsoft Bug Bounty + url: threat-protection/microsoft-bug-bounty-program.md + - text: Common Criteria Certifications + url: threat-protection/windows-platform-common-criteria.md + - text: Federal Information Processing Standard (FIPS) 140 Validation + url: threat-protection/fips-140-validation.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Privacy controls + linkLists: + - linkListType: reference + links: + - text: Windows and Privacy Compliance + url: /windows/privacy/windows-10-and-privacy-compliance -# productDirectory section (optional) -productDirectory: - items: - # Card - - title: Identity and access management - # imageSrc should be square in ratio with no whitespace - imageSrc: https://docs.microsoft.com/media/common/i_identity-protection.svg - summary: Deploy secure enterprise-grade authentication and access control to protect accounts and data - url: ./identity-protection/index.md - # Card - - title: Threat protection - imageSrc: https://docs.microsoft.com/media/common/i_threat-protection.svg - summary: Stop cyberthreats and quickly identify and respond to breaches - url: ./threat-protection/index.md - # Card - - title: Information protection - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Identify and secure critical data to prevent data loss - url: ./information-protection/index.md \ No newline at end of file diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml deleted file mode 100644 index bcaa9d74d7..0000000000 --- a/windows/security/information-protection/TOC.yml +++ /dev/null @@ -1,149 +0,0 @@ -- name: Information protection - href: index.md - items: - - name: BitLocker - href: bitlocker\bitlocker-overview.md - items: - - name: Overview of BitLocker Device Encryption in Windows 10 - href: bitlocker\bitlocker-device-encryption-overview-windows-10.md - - name: BitLocker frequently asked questions (FAQ) - href: bitlocker\bitlocker-frequently-asked-questions.yml - items: - - name: Overview and requirements - href: bitlocker\bitlocker-overview-and-requirements-faq.yml - - name: Upgrading - href: bitlocker\bitlocker-upgrading-faq.yml - - name: Deployment and administration - href: bitlocker\bitlocker-deployment-and-administration-faq.yml - - name: Key management - href: bitlocker\bitlocker-key-management-faq.yml - - name: BitLocker To Go - href: bitlocker\bitlocker-to-go-faq.yml - - name: Active Directory Domain Services - href: bitlocker\bitlocker-and-adds-faq.yml - - name: Security - href: bitlocker\bitlocker-security-faq.yml - - name: BitLocker Network Unlock - href: bitlocker\bitlocker-network-unlock-faq.yml - - name: General - href: bitlocker\bitlocker-using-with-other-programs-faq.yml - - name: "Prepare your organization for BitLocker: Planning and policies" - href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md - - name: BitLocker deployment comparison - href: bitlocker\bitlocker-deployment-comparison.md - - name: BitLocker basic deployment - href: bitlocker\bitlocker-basic-deployment.md - - name: "BitLocker: How to deploy on Windows Server 2012 and later" - href: bitlocker\bitlocker-how-to-deploy-on-windows-server.md - - name: "BitLocker: Management for enterprises" - href: bitlocker\bitlocker-management-for-enterprises.md - - name: "BitLocker: How to enable Network Unlock" - href: bitlocker\bitlocker-how-to-enable-network-unlock.md - - name: "BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker" - href: bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md - - name: "BitLocker: Use BitLocker Recovery Password Viewer" - href: bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md - - name: BitLocker Group Policy settings - href: bitlocker\bitlocker-group-policy-settings.md - - name: BCD settings and BitLocker - href: bitlocker\bcd-settings-and-bitlocker.md - - name: BitLocker Recovery Guide - href: bitlocker\bitlocker-recovery-guide-plan.md - - name: BitLocker Countermeasures - href: bitlocker\bitlocker-countermeasures.md - - name: Protecting cluster shared volumes and storage area networks with BitLocker - href: bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md - - name: Troubleshoot BitLocker - items: - - name: Troubleshoot BitLocker - href: bitlocker\troubleshoot-bitlocker.md - - name: "BitLocker cannot encrypt a drive: known issues" - href: bitlocker\ts-bitlocker-cannot-encrypt-issues.md - - name: "Enforcing BitLocker policies by using Intune: known issues" - href: bitlocker\ts-bitlocker-intune-issues.md - - name: "BitLocker Network Unlock: known issues" - href: bitlocker\ts-bitlocker-network-unlock-issues.md - - name: "BitLocker recovery: known issues" - href: bitlocker\ts-bitlocker-recovery-issues.md - - name: "BitLocker configuration: known issues" - href: bitlocker\ts-bitlocker-config-issues.md - - name: Troubleshoot BitLocker and TPM issues - items: - - name: "BitLocker cannot encrypt a drive: known TPM issues" - href: bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md - - name: "BitLocker and TPM: other known issues" - href: bitlocker\ts-bitlocker-tpm-issues.md - - name: Decode Measured Boot logs to track PCR changes - href: bitlocker\ts-bitlocker-decode-measured-boot-logs.md - - name: Encrypted Hard Drive - href: encrypted-hard-drive.md - - name: Kernel DMA Protection - href: kernel-dma-protection-for-thunderbolt.md - - name: Protect your enterprise data using Windows Information Protection (WIP) - href: windows-information-protection\protect-enterprise-data-using-wip.md - items: - - name: Create a WIP policy using Microsoft Intune - href: windows-information-protection\overview-create-wip-policy.md - items: - - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune - href: windows-information-protection\create-wip-policy-using-intune-azure.md - items: - - name: Deploy your WIP policy using the Azure portal for Microsoft Intune - href: windows-information-protection\deploy-wip-policy-using-intune-azure.md - - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune - href: windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: windows-information-protection\wip-app-enterprise-context.md - - name: Create a WIP policy using Microsoft Endpoint Configuration Manager - href: windows-information-protection\overview-create-wip-policy-configmgr.md - items: - - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager - href: windows-information-protection\create-wip-policy-using-configmgr.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: windows-information-protection\wip-app-enterprise-context.md - - name: Mandatory tasks and settings required to turn on WIP - href: windows-information-protection\mandatory-settings-for-wip.md - - name: Testing scenarios for WIP - href: windows-information-protection\testing-scenarios-for-wip.md - - name: Limitations while using WIP - href: windows-information-protection\limitations-with-wip.md - - name: How to collect WIP audit event logs - href: windows-information-protection\collect-wip-audit-event-logs.md - - name: General guidance and best practices for WIP - href: windows-information-protection\guidance-and-best-practices-wip.md - items: - - name: Enlightened apps for use with WIP - href: windows-information-protection\enlightened-microsoft-apps-and-wip.md - - name: Unenlightened and enlightened app behavior while using WIP - href: windows-information-protection\app-behavior-with-wip.md - - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP - href: windows-information-protection\recommended-network-definitions-for-wip.md - - name: Using Outlook Web Access with WIP - href: windows-information-protection\using-owa-with-wip.md - - name: Fine-tune WIP Learning - href: windows-information-protection\wip-learning.md - - name: Secure the Windows 10 boot process - href: secure-the-windows-10-boot-process.md - - name: Trusted Platform Module - href: tpm/trusted-platform-module-top-node.md - items: - - name: Trusted Platform Module Overview - href: tpm/trusted-platform-module-overview.md - - name: TPM fundamentals - href: tpm/tpm-fundamentals.md - - name: How Windows 10 uses the TPM - href: tpm/how-windows-uses-the-tpm.md - - name: TPM Group Policy settings - href: tpm/trusted-platform-module-services-group-policy-settings.md - - name: Back up the TPM recovery information to AD DS - href: tpm/backup-tpm-recovery-information-to-ad-ds.md - - name: View status, clear, or troubleshoot the TPM - href: tpm/initialize-and-configure-ownership-of-the-tpm.md - - name: Understanding PCR banks on TPM 2.0 devices - href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md - - name: TPM recommendations - href: tpm/tpm-recommendations.md diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 34a70a7698..3c10de8372 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -72,7 +72,8 @@ For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. -> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. +> [!NOTE] +> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.   ### Default BCD validation profile @@ -109,7 +110,9 @@ The following table contains the default BCD validation profile used by BitLocke ### Full list of friendly names for ignored BCD settings This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. -> **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. + +> [!NOTE] +> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. | Hex Value | Prefix | Friendly Name | | - | - | - | diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 5582a89d66..9a77ca4317 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -190,8 +190,8 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us -

Name

-

Parameters

+

Name

+

Parameters

Add-BitLockerKeyProtector

@@ -388,8 +388,9 @@ Get-ADUser -filter {samaccountname -eq "administrator"} > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. -> -> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. + +> [!TIP] +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index fd212875f8..bc8488a920 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -69,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. - +> > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index d58028caea..a4bc245136 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -64,7 +64,8 @@ manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` ->**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started. +> [!NOTE] +> After the encryption is completed, the USB startup key must be inserted before the operating system can be started. An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: @@ -102,7 +103,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. ->**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. +> [!TIP] +> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: @@ -110,7 +112,8 @@ The Repair-bde command-line tool is intended for use when the operating system d - Windows does not start, or you cannot start the BitLocker recovery console. - You do not have a copy of the data that is contained on the encrypted drive. ->**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. +> [!NOTE] +> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. The following limitations exist for Repair-bde: @@ -130,8 +133,8 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work -

Name

-

Parameters

+

Name

+

Parameters

Add-BitLockerKeyProtector

@@ -251,10 +254,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. + A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet. + The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details. ->**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. +> [!TIP] +> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. `Get-BitLockerVolume C: | fl` If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. @@ -274,7 +280,8 @@ By using this information, you can then remove the key protector for a specific Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` ->**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes @@ -302,11 +309,13 @@ $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` + ### Using an AD Account or Group protector in Windows PowerShell The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. ->**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes +> [!WARNING] +> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. @@ -316,13 +325,15 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: ->**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. +> [!NOTE] +> Use of this command requires the RSAT-AD-PowerShell feature. ```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` ->**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. +> [!TIP] +> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: @@ -330,7 +341,8 @@ The following example adds an **ADAccountOrGroup** protector to the previously e Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` ->**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. +> [!NOTE] +> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. ## More information diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index f8dc37af5a..f2ed14e623 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -41,6 +41,7 @@ This issue may be caused by settings that are controlled by Group Policy Objects To resolve this issue, follow these steps: 1. Start Registry Editor, and navigate to the following subkey: + **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE** 1. Delete the following entries: @@ -55,9 +56,13 @@ To resolve this issue, follow these steps: You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps: 1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**. + 1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**. + 1. Follow the instructions on the page to enter your password. + 1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**. + 1. The **Starting encryption** page displays the message "Access is denied." You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive. @@ -72,13 +77,13 @@ To verify that this issue has occurred, follow these steps: 1. At the command prompt, enter the following command: - ```cmd + ```console C:\>sc sdshow bdesvc ``` The output of this command resembles the following: - > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) + > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)` 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows. @@ -95,7 +100,7 @@ To verify that this issue has occurred, follow these steps: 1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command: - ```ps + ```powershell sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) ``` diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index 6b1ee39717..4142982e69 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -158,7 +158,7 @@ For more information and recommendations about backing up virtualized domain con When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following: -``` +```console \# for hex 0xc0210000 / decimal -1071579136 ‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h ‎ \# This volume is locked by BitLocker Drive Encryption. @@ -166,7 +166,7 @@ When the VSS NTDS writer requests access to the encrypted drive, the Local Secur The operation produces the following call stack: -``` +```console \# Child-SP RetAddr Call Site ‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] ‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 276b174efd..9c0af342bc 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -55,7 +55,8 @@ To install the tool, follow these steps: To use TBSLogGenerator, follow these steps: -1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: +1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: + **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** This folder contains the TBSLogGenerator.exe file. @@ -63,9 +64,11 @@ To use TBSLogGenerator, follow these steps: ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) 1. Run the following command: - ```cmd + + ```console TBSLogGenerator.exe -LF \.log > \.txt ``` + where the variables represent the following values: - \<*LogFolderName*> = the name of the folder that contains the file to be decoded - \<*LogFileName*> = the name of the file to be decoded @@ -74,7 +77,7 @@ To use TBSLogGenerator, follow these steps: For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: - ```cmd + ```console TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` @@ -84,12 +87,12 @@ To use TBSLogGenerator, follow these steps: ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) -The content of this text file resembles the following. - -![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) - -To find the PCR information, go to the end of the file. - + The content of this text file resembles the following. + + ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) + + To find the PCR information, go to the end of the file. + ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ## Use PCPTool to decode Measured Boot logs @@ -102,7 +105,8 @@ PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.micros To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. To decode a log, run the following command: -```cmd + +```console PCPTool.exe decodelog \.log > \.xml ``` @@ -114,4 +118,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) +:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg"::: diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 13b4676a20..44ad76e76b 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -20,7 +20,7 @@ ms.custom: bitlocker This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. -![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) +:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png"::: To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: @@ -104,10 +104,11 @@ The procedures described in this section depend on the default disk partitions t To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: -``` +```console diskpart list volume ``` + ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). @@ -118,16 +119,17 @@ If the status of any of the volumes is not healthy or if the recovery partition To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command: -```cmd +```console reagentc /info ``` + The output of this command resembles the following. ![Output of the reagentc /info command.](./images/4509193-en-1.png) If the **Windows RE status** is not **Enabled**, run the following command to enable it: -```cmd +```console reagentc /enable ``` @@ -135,13 +137,13 @@ reagentc /enable If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: -```cmd +```console bcdedit /enum all ``` The output of this command resembles the following. -![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) +:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png"::: In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. @@ -162,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B To verify the BIOS mode, use the System Information app. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. + 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. + ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) + 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. + > [!NOTE] > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. @@ -186,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command: -```cmd +```console Manage-bde -protectors -get %systemdrive% ``` @@ -203,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc To verify the Secure Boot state, use the System Information app. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. + 1. Verify that the **Secure Boot State** setting is **On**, as follows: + ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) + 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. + ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) > [!NOTE] > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: +> > ```ps > PS C:\> Confirm-SecureBootUEFI > ``` +> > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." > > If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index aa70c53412..110aad6465 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -49,7 +49,7 @@ You can use either of the following methods to manually back up or synchronize a For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: - ```cmd + ```console manage-bde -protectors -adbackup C: ``` @@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: -```cmd +```console Manage-bde -forcerecovery ``` @@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows. To resolve the restart loop, follow these steps: 1. On the BitLocker Recovery screen, select **Skip this drive**. + 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. -1. In the Command Prompt window, run the following commands : - ```cmd + +1. In the Command Prompt window, run the following commands: + + ```console manage-bde –unlock C: -rp <48-digit BitLocker recovery password> manage-bde -protectors -disable C: + ``` + 1. Close the Command Prompt window. + 1. Shut down the device. + 1. Start the device. Windows should start as usual. ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password @@ -115,7 +122,7 @@ Devices that support Connected Standby (also known as *InstantGO* or *Always On, To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: -```cmd +```console manage-bde.exe -protectors -get : ``` @@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if To do this, follow these steps: 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. + 1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. + 1. Insert the USB Surface recovery image drive into the Surface device, and start the device. + 1. When you are prompted, select the following items: + 1. Your operating system language. + 1. Your keyboard layout. + 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. + 1. In the Command Prompt window, run the following commands: - ```cmd + + ```console manage-bde -unlock -recoverypassword : manage-bde -protectors -disable : + ``` + In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + > [!NOTE] > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock). + 1. Restart the computer. + 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. > [!NOTE] @@ -155,11 +175,15 @@ To do this, follow these steps: To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: 1. At the command prompt, run the following command: - ```cmd + + ```console manage-bde -unlock -recoverypassword : ``` + In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + 1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. + > [!NOTE] > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands). @@ -172,30 +196,42 @@ To prevent this issue from recurring, we strongly recommend that you restore t To enable Secure Boot on a Surface device, follow these steps: 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` + In this command, <*DriveLetter*> is the letter that is assigned to your drive. + 1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. + 1. Restart the device. + 1. Open an elevated PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" ``` To reset the PCR settings on the TPM, follow these steps: 1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. + For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). + 1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` where <*DriveLetter*> is the letter assigned to your drive. + 1. Run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" + ``` #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates @@ -209,13 +245,19 @@ You can avoid this scenario when you install updates to system firmware or TPM f To suspend BitLocker while you install TPM or UEFI firmware updates: 1. Open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 + ``` + In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. + 1. Install the Surface device driver and firmware updates. + 1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" ``` @@ -230,22 +272,31 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: 1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. + 1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. + 1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. + 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. + 1. In the Command Prompt window, run the following commands: - ```cmd + + ```console Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group> Manage-bde -protectors -disable c: exit ``` These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window. + > [!NOTE] > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. + 1. Select **Continue**. Windows should start. + 1. After Windows has started, open an elevated Command Prompt window and run the following command: - ```cmd + + ```console Manage-bde -protectors -enable c: ``` @@ -254,7 +305,7 @@ If your device is already in this state, you can successfully start Windows afte To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command: -```cmd +```console Manage-bde -protectors -disable c: -rc 1 ``` diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 45659d1cac..a13435b388 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -1,7 +1,7 @@ --- -title: Secure the Windows 10 boot process -description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications -keywords: trusted boot, windows 10 boot process +title: Secure the Windows boot process +description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications +keywords: trusted boot, windows boot process ms.prod: w10 ms.mktglfcycl: Explore ms.pagetype: security @@ -12,12 +12,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/16/2018 +ms.date: ms.reviewer: ms.author: dansimp --- -# Secure the Windows 10 boot process +# Secure the Windows boot process **Applies to:** - Windows 11 @@ -27,11 +27,11 @@ ms.author: dansimp The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. -Windows has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. +Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. -When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. +When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you. @@ -61,7 +61,7 @@ Figure 1 shows the Windows startup process. **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** -Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. +Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot. @@ -131,4 +131,4 @@ Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to conf Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system. ## Additional resources -- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) +- [Windows Enterprise Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md new file mode 100644 index 0000000000..66115fef04 --- /dev/null +++ b/windows/security/operating-system.md @@ -0,0 +1,42 @@ +--- +title: Windows operating system security +description: Securing the operating system includes system security, encryption, network security, and threat protection. +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: deniseb +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: denisebmsft +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +ms.date: 09/21/2021 +--- + +# Windows operating system security + +Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. + +Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.

+ +| Security Measures | Features & Capabilities | +|:---|:---| +| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.

Learn more [Secure Boot and Trusted Boot](trusted-boot.md). | +Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.

Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).

| +Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| +| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). +| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | +| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| +| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | +| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| +| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

+| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| +| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | +| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | +| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | +| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | +| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | +| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). | + diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md new file mode 100644 index 0000000000..7ec5414862 --- /dev/null +++ b/windows/security/security-foundations.md @@ -0,0 +1,33 @@ +--- +title: Windows security foundations +description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program. +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: deniseb +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: denisebmsft +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows security foundations + +Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment. + +Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified. + +Use the links in the following table to learn more about the security foundations:

+ +| Concept | Description | +|:---|:---| +| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.

Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). | +| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.

Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). | +| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.

Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).| +| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.

Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). | + + + diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml deleted file mode 100644 index ae12fde723..0000000000 --- a/windows/security/threat-protection/TOC.yml +++ /dev/null @@ -1,1410 +0,0 @@ -- name: Threat protection - href: index.md - items: - - name: Next-generation protection with Microsoft Defender Antivirus - items: - - name: Microsoft Defender Antivirus overview - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10 - - name: Evaluate Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus - - name: Configure Microsoft Defender Antivirus - items: - - name: Configure Microsoft Defender Antivirus features - href: /microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features - - name: Use Microsoft cloud-delivered protection - href: /microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus - items: - - name: Prevent security settings changes with tamper protection - href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - - name: Enable Block at first sight - href: /microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus - - name: Configure the cloud block timeout period - href: /microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus - - name: Configure behavioral, heuristic, and real-time protection - items: - - name: Configuration overview - href: /microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus - - name: Detect and block Potentially Unwanted Applications - href: /microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus - - name: Enable and configure always-on protection and monitoring - href: /microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus - - name: Antivirus on Windows Server - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server - - name: Antivirus compatibility - items: - - name: Compatibility charts - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility - - name: Use limited periodic antivirus scanning - href: /microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus - - name: Manage Microsoft Defender Antivirus in your business - items: - - name: Management overview - href: /microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus - - name: Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus - - name: Use Group Policy settings to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus - - name: Use PowerShell cmdlets to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus - - name: Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus - - name: Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus - - name: Deploy, manage updates, and report on Microsoft Defender Antivirus - items: - - name: Preparing to deploy - href: /microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus - - name: Deploy and enable Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus - - name: Deployment guide for VDI environments - href: /microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus - - name: Report on antivirus protection - - name: Review protection status and alerts - href: /microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus - - name: Troubleshoot antivirus reporting in Update Compliance - href: /microsoft-365/security/defender-endpoint/troubleshoot-reporting - - name: Learn about the recent updates - href: /microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus - - name: Manage protection and security intelligence updates - href: /microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus - - name: Manage when protection updates should be downloaded and applied - href: /microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus - - name: Manage updates for endpoints that are out of date - href: /microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus - - name: Manage event-based forced updates - href: /microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus - - name: Manage updates for mobile devices and VMs - href: /microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus - - name: Customize, initiate, and review the results of scans and remediation - items: - - name: Configuration overview - href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus - - name: Configure and validate exclusions in antivirus scans - href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions based on file name, extension, and folder location - href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions for files opened by processes - href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - - name: Configure antivirus exclusions Windows Server - href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - - name: Common mistakes when defining exclusions - href: /microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus - - name: Configure scanning antivirus options - href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus - - name: Configure remediation for scans - href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus - - name: Configure scheduled scans - href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus - - name: Configure and run scans - href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus - - name: Review scan results - href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus - - name: Run and review the results of an offline scan - href: /microsoft-365/security/defender-endpoint//microsoft-defender-offline - - name: Restore quarantined files - href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus - - name: Manage scans and remediation - items: - - name: Management overview - href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus - - name: Configure and validate exclusions in antivirus scans - - name: Exclusions overview - href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions based on file name, extension, and folder location - href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions for files opened by processes - href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - - name: Configure antivirus exclusions on Windows Server - href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - - name: Configure scanning options - href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus - - name: Configure remediation for scans - href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus - items: - - name: Configure scheduled scans - href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus - - name: Configure and run scans - href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus - - name: Review scan results - href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus - - name: Run and review the results of an offline scan - href: /microsoft-365/security/defender-endpoint/microsoft-defender-offline - - name: Restore quarantined files - href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus - - name: Troubleshoot Microsoft Defender Antivirus - items: - - name: Troubleshoot Microsoft Defender Antivirus issues - href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus - - name: Troubleshoot Microsoft Defender Antivirus migration issues - href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating - - name: "Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint" - href: /microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus - - name: "Better together: Microsoft Defender Antivirus and Office 365" - href: /microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus - - name: Hardware-based isolation - items: - - name: Hardware-based isolation evaluation - href: microsoft-defender-application-guard/test-scenarios-md-app-guard.md - - name: Application isolation - items: - - name: Application guard overview - href: microsoft-defender-application-guard/md-app-guard-overview.md - - name: System requirements - href: microsoft-defender-application-guard/reqs-md-app-guard.md - - name: Install Microsoft Defender Application Guard - href: microsoft-defender-application-guard/install-md-app-guard.md - - name: Install Microsoft Defender Application Guard Extension - href: microsoft-defender-application-guard/md-app-guard-browser-extension.md - - name: Application control - href: windows-defender-application-control/windows-defender-application-control.md - items: - - name: Audit Application control policies - href: windows-defender-application-control/audit-windows-defender-application-control-policies.md - - name: System isolation - href: windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - - name: System integrity - href: windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md - - name: Code integrity - href: device-guard/enable-virtualization-based-protection-of-code-integrity.md - - name: Network firewall - items: - - name: Network firewall overview - href: windows-firewall/windows-firewall-with-advanced-security.md - - name: Network firewall evaluation - href: windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md - - name: Security intelligence - href: intelligence/index.md - items: - - name: Understand malware & other threats - href: intelligence/understanding-malware.md - items: - - name: Prevent malware infection - href: intelligence/prevent-malware-infection.md - - name: Malware names - href: intelligence/malware-naming.md - - name: Coin miners - href: intelligence/coinminer-malware.md - - name: Exploits and exploit kits - href: intelligence/exploits-malware.md - - name: Fileless threats - href: intelligence/fileless-threats.md - - name: Macro malware - href: intelligence/macro-malware.md - - name: Phishing - href: intelligence/phishing.md - - name: Ransomware - href: /security/compass/human-operated-ransomware - - name: Rootkits - href: intelligence/rootkits-malware.md - - name: Supply chain attacks - href: intelligence/supply-chain-malware.md - - name: Tech support scams - href: intelligence/support-scams.md - - name: Trojans - href: intelligence/trojans-malware.md - - name: Unwanted software - href: intelligence/unwanted-software.md - - name: Worms - href: intelligence/worms-malware.md - - name: How Microsoft identifies malware and PUA - href: intelligence/criteria.md - - name: Submit files for analysis - href: intelligence/submission-guide.md - - name: Safety Scanner download - href: intelligence/safety-scanner-download.md - - name: Industry collaboration programs - href: intelligence/cybersecurity-industry-partners.md - items: - - name: Virus information alliance - href: intelligence/virus-information-alliance-criteria.md - - name: Microsoft virus initiative - href: intelligence/virus-initiative-criteria.md - - name: Coordinated malware eradication - href: intelligence/coordinated-malware-eradication.md - - name: Information for developers - items: - - name: Software developer FAQ - href: intelligence/developer-faq.yml - - name: Software developer resources - href: intelligence/developer-resources.md - - name: The Windows Security app - href: windows-defender-security-center/windows-defender-security-center.md - items: - - name: Customize the Windows Security app for your organization - href: windows-defender-security-center/wdsc-customize-contact-information.md - - name: Hide Windows Security app notifications - href: windows-defender-security-center/wdsc-hide-notifications.md - - name: Manage Windows Security app in Windows 10 in S mode - href: windows-defender-security-center/wdsc-windows-10-in-s-mode.md - - name: Virus and threat protection - href: windows-defender-security-center/wdsc-virus-threat-protection.md - - name: Account protection - href: windows-defender-security-center/wdsc-account-protection.md - - name: Firewall and network protection - href: windows-defender-security-center/wdsc-firewall-network-protection.md - - name: App and browser control - href: windows-defender-security-center/wdsc-app-browser-control.md - - name: Device security - href: windows-defender-security-center/wdsc-device-security.md - - name: Device performance and health - href: windows-defender-security-center/wdsc-device-performance-health.md - items: - - name: Family options - href: windows-defender-security-center/wdsc-family-options.md - - name: Microsoft Defender SmartScreen - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - items: - - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md - - name: Set up and use Microsoft Defender SmartScreen on individual devices - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md - - name: Windows Sandbox - href: windows-sandbox/windows-sandbox-overview.md - items: - - name: Windows Sandbox architecture - href: windows-sandbox/windows-sandbox-architecture.md - - name: Windows Sandbox configuration - href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md - - name: "Windows Defender Application Control and virtualization-based protection of code integrity" - href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - - name: Windows Certifications - items: - - name: FIPS 140 Validations - href: fips-140-validation.md - - name: Common Criteria Certifications - href: windows-platform-common-criteria.md - - name: More Windows 10 security - items: - - name: Control the health of Windows 10-based devices - href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md - - name: Mitigate threats by using Windows 10 security features - href: overview-of-threat-mitigations-in-windows-10.md - - name: Override Process Mitigation Options to help enforce app-related security policies - href: override-mitigation-options-for-app-related-security-policies.md - - name: Use Windows Event Forwarding to help with intrusion detection - href: use-windows-event-forwarding-to-assist-in-intrusion-detection.md - - name: Block untrusted fonts in an enterprise - href: block-untrusted-fonts-in-enterprise.md - - name: Security auditing - href: auditing/security-auditing-overview.md - items: - - name: Basic security audit policies - href: auditing/basic-security-audit-policies.md - items: - - name: Create a basic audit policy for an event category - href: auditing/create-a-basic-audit-policy-settings-for-an-event-category.md - - name: Apply a basic audit policy on a file or folder - href: auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md - - name: View the security event log - href: auditing/view-the-security-event-log.md - - name: Basic security audit policy settings - href: auditing/basic-security-audit-policy-settings.md - items: - - name: Audit account logon events - href: auditing/basic-audit-account-logon-events.md - - name: Audit account management - href: auditing/basic-audit-account-management.md - - name: Audit directory service access - href: auditing/basic-audit-directory-service-access.md - - name: Audit logon events - href: auditing/basic-audit-logon-events.md - - name: Audit object access - href: auditing/basic-audit-object-access.md - - name: Audit policy change - href: auditing/basic-audit-policy-change.md - - name: Audit privilege use - href: auditing/basic-audit-privilege-use.md - - name: Audit process tracking - href: auditing/basic-audit-process-tracking.md - - name: Audit system events - href: auditing/basic-audit-system-events.md - - name: Advanced security audit policies - href: auditing/advanced-security-auditing.md - items: - - name: Planning and deploying advanced security audit policies - href: auditing/planning-and-deploying-advanced-security-audit-policies.md - - name: Advanced security auditing FAQ - href: auditing/advanced-security-auditing-faq.yml - items: - - name: Which editions of Windows support advanced audit policy configuration - href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md - - name: How to list XML elements in \ - href: auditing/how-to-list-xml-elements-in-eventdata.md - - name: Using advanced security auditing options to monitor dynamic access control objects - href: auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md - items: - - name: Monitor the central access policies that apply on a file server - href: auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md - - name: Monitor the use of removable storage devices - href: auditing/monitor-the-use-of-removable-storage-devices.md - - name: Monitor resource attribute definitions - href: auditing/monitor-resource-attribute-definitions.md - - name: Monitor central access policy and rule definitions - href: auditing/monitor-central-access-policy-and-rule-definitions.md - - name: Monitor user and device claims during sign-in - href: auditing/monitor-user-and-device-claims-during-sign-in.md - - name: Monitor the resource attributes on files and folders - href: auditing/monitor-the-resource-attributes-on-files-and-folders.md - - name: Monitor the central access policies associated with files and folders - href: auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md - - name: Monitor claim types - href: auditing/monitor-claim-types.md - - name: Advanced security audit policy settings - href: auditing/advanced-security-audit-policy-settings.md - items: - - name: Audit Credential Validation - href: auditing/audit-credential-validation.md - - name: "Event 4774 S, F: An account was mapped for logon." - href: auditing/event-4774.md - - name: "Event 4775 F: An account could not be mapped for logon." - href: auditing/event-4775.md - - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." - href: auditing/event-4776.md - - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." - href: auditing/event-4777.md - - name: Audit Kerberos Authentication Service - href: auditing/audit-kerberos-authentication-service.md - items: - - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." - href: auditing/event-4768.md - - name: "Event 4771 F: Kerberos pre-authentication failed." - href: auditing/event-4771.md - - name: "Event 4772 F: A Kerberos authentication ticket request failed." - href: auditing/event-4772.md - - name: Audit Kerberos Service Ticket Operations - href: auditing/audit-kerberos-service-ticket-operations.md - items: - - name: "Event 4769 S, F: A Kerberos service ticket was requested." - href: auditing/event-4769.md - - name: "Event 4770 S: A Kerberos service ticket was renewed." - href: auditing/event-4770.md - - name: "Event 4773 F: A Kerberos service ticket request failed." - href: auditing/event-4773.md - - name: Audit Other Account Logon Events - href: auditing/audit-other-account-logon-events.md - - name: Audit Application Group Management - href: auditing/audit-application-group-management.md - - name: Audit Computer Account Management - href: auditing/audit-computer-account-management.md - items: - - name: "Event 4741 S: A computer account was created." - href: auditing/event-4741.md - - name: "Event 4742 S: A computer account was changed." - href: auditing/event-4742.md - - name: "Event 4743 S: A computer account was deleted." - href: auditing/event-4743.md - - name: Audit Distribution Group Management - href: auditing/audit-distribution-group-management.md - items: - - name: "Event 4749 S: A security-disabled global group was created." - href: auditing/event-4749.md - - name: "Event 4750 S: A security-disabled global group was changed." - href: auditing/event-4750.md - - name: "Event 4751 S: A member was added to a security-disabled global group." - href: auditing/event-4751.md - - name: "Event 4752 S: A member was removed from a security-disabled global group." - href: auditing/event-4752.md - - name: "Event 4753 S: A security-disabled global group was deleted." - href: auditing/event-4753.md - - name: Audit Other Account Management Events - href: auditing/audit-other-account-management-events.md - items: - - name: "Event 4782 S: The password hash of an account was accessed." - href: auditing/event-4782.md - - name: "Event 4793 S: The Password Policy Checking API was called." - href: auditing/event-4793.md - - name: Audit Security Group Management - href: auditing/audit-security-group-management.md - items: - - name: "Event 4731 S: A security-enabled local group was created." - href: auditing/event-4731.md - - name: "Event 4732 S: A member was added to a security-enabled local group." - href: auditing/event-4732.md - - name: "Event 4733 S: A member was removed from a security-enabled local group." - href: auditing/event-4733.md - - name: "Event 4734 S: A security-enabled local group was deleted." - href: auditing/event-4734.md - - name: "Event 4735 S: A security-enabled local group was changed." - href: auditing/event-4735.md - - name: "Event 4764 S: A group�s type was changed." - href: auditing/event-4764.md - - name: "Event 4799 S: A security-enabled local group membership was enumerated." - href: auditing/event-4799.md - - name: Audit User Account Management - href: auditing/audit-user-account-management.md - items: - - name: "Event 4720 S: A user account was created." - href: auditing/event-4720.md - - name: "Event 4722 S: A user account was enabled." - href: auditing/event-4722.md - - name: "Event 4723 S, F: An attempt was made to change an account's password." - href: auditing/event-4723.md - - name: "Event 4724 S, F: An attempt was made to reset an account's password." - href: auditing/event-4724.md - - name: "Event 4725 S: A user account was disabled." - href: auditing/event-4725.md - - name: "Event 4726 S: A user account was deleted." - href: auditing/event-4726.md - - name: "Event 4738 S: A user account was changed." - href: auditing/event-4738.md - - name: "Event 4740 S: A user account was locked out." - href: auditing/event-4740.md - - name: "Event 4765 S: SID History was added to an account." - href: auditing/event-4765.md - - name: "Event 4766 F: An attempt to add SID History to an account failed." - href: auditing/event-4766.md - - name: "Event 4767 S: A user account was unlocked." - href: auditing/event-4767.md - - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." - href: auditing/event-4780.md - - name: "Event 4781 S: The name of an account was changed." - href: auditing/event-4781.md - - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." - href: auditing/event-4794.md - - name: "Event 4798 S: A user's local group membership was enumerated." - href: auditing/event-4798.md - - name: "Event 5376 S: Credential Manager credentials were backed up." - href: auditing/event-5376.md - - name: "Event 5377 S: Credential Manager credentials were restored from a backup." - href: auditing/event-5377.md - - name: Audit DPAPI Activity - href: auditing/audit-dpapi-activity.md - items: - - name: "Event 4692 S, F: Backup of data protection master key was attempted." - href: auditing/event-4692.md - - name: "Event 4693 S, F: Recovery of data protection master key was attempted." - href: auditing/event-4693.md - - name: "Event 4694 S, F: Protection of auditable protected data was attempted." - href: auditing/event-4694.md - - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." - href: auditing/event-4695.md - - name: Audit PNP Activity - href: auditing/audit-pnp-activity.md - items: - - name: "Event 6416 S: A new external device was recognized by the System." - href: auditing/event-6416.md - - name: "Event 6419 S: A request was made to disable a device." - href: auditing/event-6419.md - - name: "Event 6420 S: A device was disabled." - href: auditing/event-6420.md - - name: "Event 6421 S: A request was made to enable a device." - href: auditing/event-6421.md - - name: "Event 6422 S: A device was enabled." - href: auditing/event-6422.md - - name: "Event 6423 S: The installation of this device is forbidden by system policy." - href: auditing/event-6423.md - - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." - href: auditing/event-6424.md - - name: Audit Process Creation - href: auditing/audit-process-creation.md - items: - - name: "Event 4688 S: A new process has been created." - href: auditing/event-4688.md - - name: "Event 4696 S: A primary token was assigned to process." - href: auditing/event-4696.md - - name: Audit Process Termination - href: auditing/audit-process-termination.md - items: - - name: "Event 4689 S: A process has exited." - href: auditing/event-4689.md - - name: Audit RPC Events - href: auditing/audit-rpc-events.md - items: - - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." - href: auditing/event-5712.md - - name: Audit Token Right Adjusted - href: auditing/audit-token-right-adjusted.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: auditing/event-4703.md - - name: Audit Detailed Directory Service Replication - href: auditing/audit-detailed-directory-service-replication.md - items: - - name: "Event 4928 S, F: An Active Directory replica source naming context was established." - href: auditing/event-4928.md - - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." - href: auditing/event-4929.md - - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." - href: auditing/event-4930.md - - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." - href: auditing/event-4931.md - - name: "Event 4934 S: Attributes of an Active Directory object were replicated." - href: auditing/event-4934.md - - name: "Event 4935 F: Replication failure begins." - href: auditing/event-4935.md - - name: "Event 4936 S: Replication failure ends." - href: auditing/event-4936.md - - name: "Event 4937 S: A lingering object was removed from a replica." - href: auditing/event-4937.md - - name: Audit Directory Service Access - href: auditing/audit-directory-service-access.md - items: - - name: "Event 4662 S, F: An operation was performed on an object." - href: auditing/event-4662.md - - name: "Event 4661 S, F: A handle to an object was requested." - href: auditing/event-4661.md - - name: Audit Directory Service Changes - href: auditing/audit-directory-service-changes.md - items: - - name: "Event 5136 S: A directory service object was modified." - href: auditing/event-5136.md - - name: "Event 5137 S: A directory service object was created." - href: auditing/event-5137.md - - name: "Event 5138 S: A directory service object was undeleted." - href: auditing/event-5138.md - - name: "Event 5139 S: A directory service object was moved." - href: auditing/event-5139.md - - name: "Event 5141 S: A directory service object was deleted." - href: auditing/event-5141.md - - name: Audit Directory Service Replication - href: auditing/audit-directory-service-replication.md - items: - - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." - href: auditing/event-4932.md - - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." - href: auditing/event-4933.md - - name: Audit Account Lockout - href: auditing/audit-account-lockout.md - items: - - name: "Event 4625 F: An account failed to log on." - href: auditing/event-4625.md - - name: Audit User/Device Claims - href: auditing/audit-user-device-claims.md - items: - - name: "Event 4626 S: User/Device claims information." - href: auditing/event-4626.md - - name: Audit Group Membership - href: auditing/audit-group-membership.md - items: - - name: "Event 4627 S: Group membership information." - href: auditing/event-4627.md - - name: Audit IPsec Extended Mode - href: auditing/audit-ipsec-extended-mode.md - - name: Audit IPsec Main Mode - href: auditing/audit-ipsec-main-mode.md - - name: Audit IPsec Quick Mode - href: auditing/audit-ipsec-quick-mode.md - - name: Audit Logoff - href: auditing/audit-logoff.md - items: - - name: "Event 4634 S: An account was logged off." - href: auditing/event-4634.md - - name: "Event 4647 S: User initiated logoff." - href: auditing/event-4647.md - - name: Audit Logon - href: auditing/audit-logon.md - items: - - name: "Event 4624 S: An account was successfully logged on." - href: auditing/event-4624.md - - name: "Event 4625 F: An account failed to log on." - href: auditing/event-4625.md - - name: "Event 4648 S: A logon was attempted using explicit credentials." - href: auditing/event-4648.md - - name: "Event 4675 S: SIDs were filtered." - href: auditing/event-4675.md - - name: Audit Network Policy Server - href: auditing/audit-network-policy-server.md - - name: Audit Other Logon/Logoff Events - href: auditing/audit-other-logonlogoff-events.md - items: - - name: "Event 4649 S: A replay attack was detected." - href: auditing/event-4649.md - - name: "Event 4778 S: A session was reconnected to a Window Station." - href: auditing/event-4778.md - - name: "Event 4779 S: A session was disconnected from a Window Station." - href: auditing/event-4779.md - - name: "Event 4800 S: The workstation was locked." - href: auditing/event-4800.md - - name: "Event 4801 S: The workstation was unlocked." - href: auditing/event-4801.md - - name: "Event 4802 S: The screen saver was invoked." - href: auditing/event-4802.md - - name: "Event 4803 S: The screen saver was dismissed." - href: auditing/event-4803.md - - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." - href: auditing/event-5378.md - - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." - href: auditing/event-5632.md - - name: "Event 5633 S, F: A request was made to authenticate to a wired network." - href: auditing/event-5633.md - - name: Audit Special Logon - href: auditing/audit-special-logon.md - items: - - name: "Event 4964 S: Special groups have been assigned to a new logon." - href: auditing/event-4964.md - - name: "Event 4672 S: Special privileges assigned to new logon." - href: auditing/event-4672.md - - name: Audit Application Generated - href: auditing/audit-application-generated.md - - name: Audit Certification Services - href: auditing/audit-certification-services.md - - name: Audit Detailed File Share - href: auditing/audit-detailed-file-share.md - items: - - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." - href: auditing/event-5145.md - - name: Audit File Share - href: auditing/audit-file-share.md - items: - - name: "Event 5140 S, F: A network share object was accessed." - href: auditing/event-5140.md - - name: "Event 5142 S: A network share object was added." - href: auditing/event-5142.md - - name: "Event 5143 S: A network share object was modified." - href: auditing/event-5143.md - - name: "Event 5144 S: A network share object was deleted." - href: auditing/event-5144.md - - name: "Event 5168 F: SPN check for SMB/SMB2 failed." - href: auditing/event-5168.md - - name: Audit File System - href: auditing/audit-file-system.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: "Event 4664 S: An attempt was made to create a hard link." - href: auditing/event-4664.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: "Event 5051: A file was virtualized." - href: auditing/event-5051.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: Audit Filtering Platform Connection - href: auditing/audit-filtering-platform-connection.md - items: - - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." - href: auditing/event-5031.md - - name: "Event 5150: The Windows Filtering Platform blocked a packet." - href: auditing/event-5150.md - - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: auditing/event-5151.md - - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." - href: auditing/event-5154.md - - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." - href: auditing/event-5155.md - - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." - href: auditing/event-5156.md - - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." - href: auditing/event-5157.md - - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." - href: auditing/event-5158.md - - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." - href: auditing/event-5159.md - - name: Audit Filtering Platform Packet Drop - href: auditing/audit-filtering-platform-packet-drop.md - items: - - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." - href: auditing/event-5152.md - - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: auditing/event-5153.md - - name: Audit Handle Manipulation - href: auditing/audit-handle-manipulation.md - items: - - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." - href: auditing/event-4690.md - - name: Audit Kernel Object - href: auditing/audit-kernel-object.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: Audit Other Object Access Events - href: auditing/audit-other-object-access-events.md - items: - - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." - href: auditing/event-4671.md - - name: "Event 4691 S: Indirect access to an object was requested." - href: auditing/event-4691.md - - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." - href: auditing/event-5148.md - - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." - href: auditing/event-5149.md - - name: "Event 4698 S: A scheduled task was created." - href: auditing/event-4698.md - - name: "Event 4699 S: A scheduled task was deleted." - href: auditing/event-4699.md - - name: "Event 4700 S: A scheduled task was enabled." - href: auditing/event-4700.md - - name: "Event 4701 S: A scheduled task was disabled." - href: auditing/event-4701.md - - name: "Event 4702 S: A scheduled task was updated." - href: auditing/event-4702.md - - name: "Event 5888 S: An object in the COM+ Catalog was modified." - href: auditing/event-5888.md - - name: "Event 5889 S: An object was deleted from the COM+ Catalog." - href: auditing/event-5889.md - - name: "Event 5890 S: An object was added to the COM+ Catalog." - href: auditing/event-5890.md - - name: Audit Registry - href: auditing/audit-registry.md - items: - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4657 S: A registry value was modified." - href: auditing/event-4657.md - - name: "Event 5039: A registry key was virtualized." - href: auditing/event-5039.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: Audit Removable Storage - href: auditing/audit-removable-storage.md - - name: Audit SAM - href: auditing/audit-sam.md - items: - - name: "Event 4661 S, F: A handle to an object was requested." - href: auditing/event-4661.md - - name: Audit Central Access Policy Staging - href: auditing/audit-central-access-policy-staging.md - items: - - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." - href: auditing/event-4818.md - - name: Audit Audit Policy Change - href: auditing/audit-audit-policy-change.md - items: - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: "Event 4715 S: The audit policy, SACL, on an object was changed." - href: auditing/event-4715.md - - name: "Event 4719 S: System audit policy was changed." - href: auditing/event-4719.md - - name: "Event 4817 S: Auditing settings on object were changed." - href: auditing/event-4817.md - - name: "Event 4902 S: The Per-user audit policy table was created." - href: auditing/event-4902.md - - name: "Event 4906 S: The CrashOnAuditFail value has changed." - href: auditing/event-4906.md - - name: "Event 4907 S: Auditing settings on object were changed." - href: auditing/event-4907.md - - name: "Event 4908 S: Special Groups Logon table modified." - href: auditing/event-4908.md - - name: "Event 4912 S: Per User Audit Policy was changed." - href: auditing/event-4912.md - - name: "Event 4904 S: An attempt was made to register a security event source." - href: auditing/event-4904.md - - name: "Event 4905 S: An attempt was made to unregister a security event source." - href: auditing/event-4905.md - - name: Audit Authentication Policy Change - href: auditing/audit-authentication-policy-change.md - items: - - name: "Event 4706 S: A new trust was created to a domain." - href: auditing/event-4706.md - - name: "Event 4707 S: A trust to a domain was removed." - href: auditing/event-4707.md - - name: "Event 4716 S: Trusted domain information was modified." - href: auditing/event-4716.md - - name: "Event 4713 S: Kerberos policy was changed." - href: auditing/event-4713.md - - name: "Event 4717 S: System security access was granted to an account." - href: auditing/event-4717.md - - name: "Event 4718 S: System security access was removed from an account." - href: auditing/event-4718.md - - name: "Event 4739 S: Domain Policy was changed." - href: auditing/event-4739.md - - name: "Event 4864 S: A namespace collision was detected." - href: auditing/event-4864.md - - name: "Event 4865 S: A trusted forest information entry was added." - href: auditing/event-4865.md - - name: "Event 4866 S: A trusted forest information entry was removed." - href: auditing/event-4866.md - - name: "Event 4867 S: A trusted forest information entry was modified." - href: auditing/event-4867.md - - name: Audit Authorization Policy Change - href: auditing/audit-authorization-policy-change.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: auditing/event-4703.md - - name: "Event 4704 S: A user right was assigned." - href: auditing/event-4704.md - - name: "Event 4705 S: A user right was removed." - href: auditing/event-4705.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: "Event 4911 S: Resource attributes of the object were changed." - href: auditing/event-4911.md - - name: "Event 4913 S: Central Access Policy on the object was changed." - href: auditing/event-4913.md - - name: Audit Filtering Platform Policy Change - href: auditing/audit-filtering-platform-policy-change.md - - name: Audit MPSSVC Rule-Level Policy Change - href: auditing/audit-mpssvc-rule-level-policy-change.md - items: - - name: "Event 4944 S: The following policy was active when the Windows Firewall started." - href: auditing/event-4944.md - - name: "Event 4945 S: A rule was listed when the Windows Firewall started." - href: auditing/event-4945.md - - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." - href: auditing/event-4946.md - - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." - href: auditing/event-4947.md - - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." - href: auditing/event-4948.md - - name: "Event 4949 S: Windows Firewall settings were restored to the default values." - href: auditing/event-4949.md - - name: "Event 4950 S: A Windows Firewall setting has changed." - href: auditing/event-4950.md - - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." - href: auditing/event-4951.md - - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." - href: auditing/event-4952.md - - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." - href: auditing/event-4953.md - - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." - href: auditing/event-4954.md - - name: "Event 4956 S: Windows Firewall has changed the active profile." - href: auditing/event-4956.md - - name: "Event 4957 F: Windows Firewall did not apply the following rule." - href: auditing/event-4957.md - - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." - href: auditing/event-4958.md - - name: Audit Other Policy Change Events - href: auditing/audit-other-policy-change-events.md - items: - - name: "Event 4714 S: Encrypted data recovery policy was changed." - href: auditing/event-4714.md - - name: "Event 4819 S: Central Access Policies on the machine have been changed." - href: auditing/event-4819.md - - name: "Event 4826 S: Boot Configuration Data loaded." - href: auditing/event-4826.md - - name: "Event 4909: The local policy settings for the TBS were changed." - href: auditing/event-4909.md - - name: "Event 4910: The group policy settings for the TBS were changed." - href: auditing/event-4910.md - - name: "Event 5063 S, F: A cryptographic provider operation was attempted." - href: auditing/event-5063.md - - name: "Event 5064 S, F: A cryptographic context operation was attempted." - href: auditing/event-5064.md - - name: "Event 5065 S, F: A cryptographic context modification was attempted." - href: auditing/event-5065.md - - name: "Event 5066 S, F: A cryptographic function operation was attempted." - href: auditing/event-5066.md - - name: "Event 5067 S, F: A cryptographic function modification was attempted." - href: auditing/event-5067.md - - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." - href: auditing/event-5068.md - - name: "Event 5069 S, F: A cryptographic function property operation was attempted." - href: auditing/event-5069.md - - name: "Event 5070 S, F: A cryptographic function property modification was attempted." - href: auditing/event-5070.md - - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." - href: auditing/event-5447.md - - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." - href: auditing/event-6144.md - - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." - href: auditing/event-6145.md - - name: Audit Sensitive Privilege Use - href: auditing/audit-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: auditing/event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: auditing/event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit Non Sensitive Privilege Use - href: auditing/audit-non-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: auditing/event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: auditing/event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit Other Privilege Use Events - href: auditing/audit-other-privilege-use-events.md - items: - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit IPsec Driver - href: auditing/audit-ipsec-driver.md - - name: Audit Other System Events - href: auditing/audit-other-system-events.md - items: - - name: "Event 5024 S: The Windows Firewall Service has started successfully." - href: auditing/event-5024.md - - name: "Event 5025 S: The Windows Firewall Service has been stopped." - href: auditing/event-5025.md - - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." - href: auditing/event-5027.md - - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." - href: auditing/event-5028.md - - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." - href: auditing/event-5029.md - - name: "Event 5030 F: The Windows Firewall Service failed to start." - href: auditing/event-5030.md - - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." - href: auditing/event-5032.md - - name: "Event 5033 S: The Windows Firewall Driver has started successfully." - href: auditing/event-5033.md - - name: "Event 5034 S: The Windows Firewall Driver was stopped." - href: auditing/event-5034.md - - name: "Event 5035 F: The Windows Firewall Driver failed to start." - href: auditing/event-5035.md - - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." - href: auditing/event-5037.md - - name: "Event 5058 S, F: Key file operation." - href: auditing/event-5058.md - - name: "Event 5059 S, F: Key migration operation." - href: auditing/event-5059.md - - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." - href: auditing/event-6400.md - - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." - href: auditing/event-6401.md - - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." - href: auditing/event-6402.md - - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." - href: auditing/event-6403.md - - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." - href: auditing/event-6404.md - - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." - href: auditing/event-6405.md - - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." - href: auditing/event-6406.md - - name: "Event 6407: 1%." - href: auditing/event-6407.md - - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." - href: auditing/event-6408.md - - name: "Event 6409: BranchCache: A service connection point object could not be parsed." - href: auditing/event-6409.md - - name: Audit Security State Change - href: auditing/audit-security-state-change.md - items: - - name: "Event 4608 S: Windows is starting up." - href: auditing/event-4608.md - - name: "Event 4616 S: The system time was changed." - href: auditing/event-4616.md - - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." - href: auditing/event-4621.md - - name: Audit Security System Extension - href: auditing/audit-security-system-extension.md - items: - - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." - href: auditing/event-4610.md - - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." - href: auditing/event-4611.md - - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." - href: auditing/event-4614.md - - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." - href: auditing/event-4622.md - - name: "Event 4697 S: A service was installed in the system." - href: auditing/event-4697.md - - name: Audit System Integrity - href: auditing/audit-system-integrity.md - items: - - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." - href: auditing/event-4612.md - - name: "Event 4615 S: Invalid use of LPC port." - href: auditing/event-4615.md - - name: "Event 4618 S: A monitored security event pattern has occurred." - href: auditing/event-4618.md - - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." - href: auditing/event-4816.md - - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." - href: auditing/event-5038.md - - name: "Event 5056 S: A cryptographic self-test was performed." - href: auditing/event-5056.md - - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." - href: auditing/event-5062.md - - name: "Event 5057 F: A cryptographic primitive operation failed." - href: auditing/event-5057.md - - name: "Event 5060 F: Verification operation failed." - href: auditing/event-5060.md - - name: "Event 5061 S, F: Cryptographic operation." - href: auditing/event-5061.md - - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." - href: auditing/event-6281.md - - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." - href: auditing/event-6410.md - - name: Other Events - href: auditing/other-events.md - items: - - name: "Event 1100 S: The event logging service has shut down." - href: auditing/event-1100.md - - name: "Event 1102 S: The audit log was cleared." - href: auditing/event-1102.md - - name: "Event 1104 S: The security log is now full." - href: auditing/event-1104.md - - name: "Event 1105 S: Event log automatic backup." - href: auditing/event-1105.md - - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." - href: auditing/event-1108.md - - name: "Appendix A: Security monitoring recommendations for many audit events" - href: auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md - - name: Registry (Global Object Access Auditing) - href: auditing/registry-global-object-access-auditing.md - - name: File System (Global Object Access Auditing) - href: auditing/file-system-global-object-access-auditing.md - - name: Security policy settings - href: security-policy-settings/security-policy-settings.md - items: - - name: Administer security policy settings - href: security-policy-settings/administer-security-policy-settings.md - items: - - name: Network List Manager policies - href: security-policy-settings/network-list-manager-policies.md - - name: Configure security policy settings - href: security-policy-settings/how-to-configure-security-policy-settings.md - - name: Security policy settings reference - href: security-policy-settings/security-policy-settings-reference.md - items: - - name: Account Policies - href: security-policy-settings/account-policies.md - items: - - name: Password Policy - href: security-policy-settings/password-policy.md - items: - - name: Enforce password history - href: security-policy-settings/enforce-password-history.md - - name: Maximum password age - href: security-policy-settings/maximum-password-age.md - - name: Minimum password age - href: security-policy-settings/minimum-password-age.md - - name: Minimum password length - href: security-policy-settings/minimum-password-length.md - - name: Password must meet complexity requirements - href: security-policy-settings/password-must-meet-complexity-requirements.md - - name: Store passwords using reversible encryption - href: security-policy-settings/store-passwords-using-reversible-encryption.md - - name: Account Lockout Policy - href: security-policy-settings/account-lockout-policy.md - items: - - name: Account lockout duration - href: security-policy-settings/account-lockout-duration.md - - name: Account lockout threshold - href: security-policy-settings/account-lockout-threshold.md - - name: Reset account lockout counter after - href: security-policy-settings/reset-account-lockout-counter-after.md - - name: Kerberos Policy - href: security-policy-settings/kerberos-policy.md - items: - - name: Enforce user logon restrictions - href: security-policy-settings/enforce-user-logon-restrictions.md - - name: Maximum lifetime for service ticket - href: security-policy-settings/maximum-lifetime-for-service-ticket.md - - name: Maximum lifetime for user ticket - href: security-policy-settings/maximum-lifetime-for-user-ticket.md - - name: Maximum lifetime for user ticket renewal - href: security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md - - name: Maximum tolerance for computer clock synchronization - href: security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md - - name: Audit Policy - href: security-policy-settings/audit-policy.md - - name: Security Options - href: security-policy-settings/security-options.md - items: - - name: "Accounts: Administrator account status" - href: security-policy-settings/accounts-administrator-account-status.md - - name: "Accounts: Block Microsoft accounts" - href: security-policy-settings/accounts-block-microsoft-accounts.md - - name: "Accounts: Guest account status" - href: security-policy-settings/accounts-guest-account-status.md - - name: "Accounts: Limit local account use of blank passwords to console logon only" - href: security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md - - name: "Accounts: Rename administrator account" - href: security-policy-settings/accounts-rename-administrator-account.md - - name: "Accounts: Rename guest account" - href: security-policy-settings/accounts-rename-guest-account.md - - name: "Audit: Audit the access of global system objects" - href: security-policy-settings/audit-audit-the-access-of-global-system-objects.md - - name: "Audit: Audit the use of Backup and Restore privilege" - href: security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md - - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" - href: security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md - - name: "Audit: Shut down system immediately if unable to log security audits" - href: security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md - - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" - href: security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md - - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" - href: security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md - - name: "Devices: Allow undock without having to log on" - href: security-policy-settings/devices-allow-undock-without-having-to-log-on.md - - name: "Devices: Allowed to format and eject removable media" - href: security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md - - name: "Devices: Prevent users from installing printer drivers" - href: security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md - - name: "Devices: Restrict CD-ROM access to locally logged-on user only" - href: security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md - - name: "Devices: Restrict floppy access to locally logged-on user only" - href: security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md - - name: "Domain controller: Allow server operators to schedule tasks" - href: security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md - - name: "Domain controller: LDAP server signing requirements" - href: security-policy-settings/domain-controller-ldap-server-signing-requirements.md - - name: "Domain controller: Refuse machine account password changes" - href: security-policy-settings/domain-controller-refuse-machine-account-password-changes.md - - name: "Domain member: Digitally encrypt or sign secure channel data (always)" - href: security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md - - name: "Domain member: Digitally encrypt secure channel data (when possible)" - href: security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md - - name: "Domain member: Digitally sign secure channel data (when possible)" - href: security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md - - name: "Domain member: Disable machine account password changes" - href: security-policy-settings/domain-member-disable-machine-account-password-changes.md - - name: "Domain member: Maximum machine account password age" - href: security-policy-settings/domain-member-maximum-machine-account-password-age.md - - name: "Domain member: Require strong (Windows 2000 or later) session key" - href: security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md - - name: "Interactive logon: Display user information when the session is locked" - href: security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md - - name: "Interactive logon: Don't display last signed-in" - href: security-policy-settings/interactive-logon-do-not-display-last-user-name.md - - name: "Interactive logon: Don't display username at sign-in" - href: security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md - - name: "Interactive logon: Do not require CTRL+ALT+DEL" - href: security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md - - name: "Interactive logon: Machine account lockout threshold" - href: security-policy-settings/interactive-logon-machine-account-lockout-threshold.md - - name: "Interactive logon: Machine inactivity limit" - href: security-policy-settings/interactive-logon-machine-inactivity-limit.md - - name: "Interactive logon: Message text for users attempting to log on" - href: security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md - - name: "Interactive logon: Message title for users attempting to log on" - href: security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md - - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" - href: security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md - - name: "Interactive logon: Prompt user to change password before expiration" - href: security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md - - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" - href: security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md - - name: "Interactive logon: Require smart card" - href: security-policy-settings/interactive-logon-require-smart-card.md - - name: "Interactive logon: Smart card removal behavior" - href: security-policy-settings/interactive-logon-smart-card-removal-behavior.md - - name: "Microsoft network client: Digitally sign communications (always)" - href: security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" - href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" - href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md - - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" - href: security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md - - name: "Microsoft network server: Amount of idle time required before suspending session" - href: security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md - - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" - href: security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md - - name: "Microsoft network server: Digitally sign communications (always)" - href: security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" - href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" - href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md - - name: "Microsoft network server: Disconnect clients when logon hours expire" - href: security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md - - name: "Microsoft network server: Server SPN target name validation level" - href: security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md - - name: "Network access: Allow anonymous SID/Name translation" - href: security-policy-settings/network-access-allow-anonymous-sidname-translation.md - - name: "Network access: Do not allow anonymous enumeration of SAM accounts" - href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md - - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" - href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md - - name: "Network access: Do not allow storage of passwords and credentials for network authentication" - href: security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md - - name: "Network access: Let Everyone permissions apply to anonymous users" - href: security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md - - name: "Network access: Named Pipes that can be accessed anonymously" - href: security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md - - name: "Network access: Remotely accessible registry paths" - href: security-policy-settings/network-access-remotely-accessible-registry-paths.md - - name: "Network access: Remotely accessible registry paths and subpaths" - href: security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md - - name: "Network access: Restrict anonymous access to Named Pipes and Shares" - href: security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md - - name: "Network access: Restrict clients allowed to make remote calls to SAM" - href: security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md - - name: "Network access: Shares that can be accessed anonymously" - href: security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md - - name: "Network access: Sharing and security model for local accounts" - href: security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md - - name: "Network security: Allow Local System to use computer identity for NTLM" - href: security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md - - name: "Network security: Allow LocalSystem NULL session fallback" - href: security-policy-settings/network-security-allow-localsystem-null-session-fallback.md - - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" - href: security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md - - name: "Network security: Configure encryption types allowed for Kerberos" - href: security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md - - name: "Network security: Do not store LAN Manager hash value on next password change" - href: security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md - - name: "Network security: Force logoff when logon hours expire" - href: security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md - - name: "Network security: LAN Manager authentication level" - href: security-policy-settings/network-security-lan-manager-authentication-level.md - - name: "Network security: LDAP client signing requirements" - href: security-policy-settings/network-security-ldap-client-signing-requirements.md - - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" - href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md - - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" - href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md - - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" - href: security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md - - name: "Network security: Restrict NTLM: Add server exceptions in this domain" - href: security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md - - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" - href: security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md - - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" - href: security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md - - name: "Network security: Restrict NTLM: Incoming NTLM traffic" - href: security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md - - name: "Network security: Restrict NTLM: NTLM authentication in this domain" - href: security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md - - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" - href: security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md - - name: "Recovery console: Allow automatic administrative logon" - href: security-policy-settings/recovery-console-allow-automatic-administrative-logon.md - - name: "Recovery console: Allow floppy copy and access to all drives and folders" - href: security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md - - name: "Shutdown: Allow system to be shut down without having to log on" - href: security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md - - name: "Shutdown: Clear virtual memory pagefile" - href: security-policy-settings/shutdown-clear-virtual-memory-pagefile.md - - name: "System cryptography: Force strong key protection for user keys stored on the computer" - href: security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md - - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" - href: security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md - - name: "System objects: Require case insensitivity for non-Windows subsystems" - href: security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md - - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" - href: security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md - - name: "System settings: Optional subsystems" - href: security-policy-settings/system-settings-optional-subsystems.md - - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" - href: security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md - - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" - href: security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md - - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" - href: security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md - - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" - href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md - - name: "User Account Control: Behavior of the elevation prompt for standard users" - href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md - - name: "User Account Control: Detect application installations and prompt for elevation" - href: security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md - - name: "User Account Control: Only elevate executables that are signed and validated" - href: security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md - - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" - href: security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md - - name: "User Account Control: Run all administrators in Admin Approval Mode" - href: security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md - - name: "User Account Control: Switch to the secure desktop when prompting for elevation" - href: security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md - - name: "User Account Control: Virtualize file and registry write failures to per-user locations" - href: security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md - - name: Advanced security audit policy settings - href: security-policy-settings/secpol-advanced-security-audit-policy-settings.md - - name: User Rights Assignment - href: security-policy-settings/user-rights-assignment.md - items: - - name: Access Credential Manager as a trusted caller - href: security-policy-settings/access-credential-manager-as-a-trusted-caller.md - - name: Access this computer from the network - href: security-policy-settings/access-this-computer-from-the-network.md - - name: Act as part of the operating system - href: security-policy-settings/act-as-part-of-the-operating-system.md - - name: Add workstations to domain - href: security-policy-settings/add-workstations-to-domain.md - - name: Adjust memory quotas for a process - href: security-policy-settings/adjust-memory-quotas-for-a-process.md - - name: Allow log on locally - href: security-policy-settings/allow-log-on-locally.md - - name: Allow log on through Remote Desktop Services - href: security-policy-settings/allow-log-on-through-remote-desktop-services.md - - name: Back up files and directories - href: security-policy-settings/back-up-files-and-directories.md - - name: Bypass traverse checking - href: security-policy-settings/bypass-traverse-checking.md - - name: Change the system time - href: security-policy-settings/change-the-system-time.md - - name: Change the time zone - href: security-policy-settings/change-the-time-zone.md - - name: Create a pagefile - href: security-policy-settings/create-a-pagefile.md - - name: Create a token object - href: security-policy-settings/create-a-token-object.md - - name: Create global objects - href: security-policy-settings/create-global-objects.md - - name: Create permanent shared objects - href: security-policy-settings/create-permanent-shared-objects.md - - name: Create symbolic links - href: security-policy-settings/create-symbolic-links.md - - name: Debug programs - href: security-policy-settings/debug-programs.md - - name: Deny access to this computer from the network - href: security-policy-settings/deny-access-to-this-computer-from-the-network.md - - name: Deny log on as a batch job - href: security-policy-settings/deny-log-on-as-a-batch-job.md - - name: Deny log on as a service - href: security-policy-settings/deny-log-on-as-a-service.md - - name: Deny log on locally - href: security-policy-settings/deny-log-on-locally.md - - name: Deny log on through Remote Desktop Services - href: security-policy-settings/deny-log-on-through-remote-desktop-services.md - - name: Enable computer and user accounts to be trusted for delegation - href: security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md - - name: Force shutdown from a remote system - href: security-policy-settings/force-shutdown-from-a-remote-system.md - - name: Generate security audits - href: security-policy-settings/generate-security-audits.md - - name: Impersonate a client after authentication - href: security-policy-settings/impersonate-a-client-after-authentication.md - - name: Increase a process working set - href: security-policy-settings/increase-a-process-working-set.md - - name: Increase scheduling priority - href: security-policy-settings/increase-scheduling-priority.md - - name: Load and unload device drivers - href: security-policy-settings/load-and-unload-device-drivers.md - - name: Lock pages in memory - href: security-policy-settings/lock-pages-in-memory.md - - name: Log on as a batch job - href: security-policy-settings/log-on-as-a-batch-job.md - - name: Log on as a service - href: security-policy-settings/log-on-as-a-service.md - - name: Manage auditing and security log - href: security-policy-settings/manage-auditing-and-security-log.md - - name: Modify an object label - href: security-policy-settings/modify-an-object-label.md - - name: Modify firmware environment values - href: security-policy-settings/modify-firmware-environment-values.md - - name: Perform volume maintenance tasks - href: security-policy-settings/perform-volume-maintenance-tasks.md - - name: Profile single process - href: security-policy-settings/profile-single-process.md - - name: Profile system performance - href: security-policy-settings/profile-system-performance.md - - name: Remove computer from docking station - href: security-policy-settings/remove-computer-from-docking-station.md - - name: Replace a process level token - href: security-policy-settings/replace-a-process-level-token.md - - name: Restore files and directories - href: security-policy-settings/restore-files-and-directories.md - - name: Shut down the system - href: security-policy-settings/shut-down-the-system.md - - name: Synchronize directory service data - href: security-policy-settings/synchronize-directory-service-data.md - - name: Take ownership of files or other objects - href: security-policy-settings/take-ownership-of-files-or-other-objects.md - - name: Windows security guidance for enterprises - items: - - name: Windows security baselines - href: windows-security-configuration-framework/windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: windows-security-configuration-framework/security-compliance-toolkit-10.md - - name: Get support - href: windows-security-configuration-framework/get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml new file mode 100644 index 0000000000..4f122c5d8e --- /dev/null +++ b/windows/security/threat-protection/auditing/TOC.yml @@ -0,0 +1,767 @@ + - name: Security auditing + href: security-auditing-overview.md + items: + - name: Basic security audit policies + href: basic-security-audit-policies.md + items: + - name: Create a basic audit policy for an event category + href: create-a-basic-audit-policy-settings-for-an-event-category.md + - name: Apply a basic audit policy on a file or folder + href: apply-a-basic-audit-policy-on-a-file-or-folder.md + - name: View the security event log + href: view-the-security-event-log.md + - name: Basic security audit policy settings + href: basic-security-audit-policy-settings.md + items: + - name: Audit account logon events + href: basic-audit-account-logon-events.md + - name: Audit account management + href: basic-audit-account-management.md + - name: Audit directory service access + href: basic-audit-directory-service-access.md + - name: Audit logon events + href: basic-audit-logon-events.md + - name: Audit object access + href: basic-audit-object-access.md + - name: Audit policy change + href: basic-audit-policy-change.md + - name: Audit privilege use + href: basic-audit-privilege-use.md + - name: Audit process tracking + href: basic-audit-process-tracking.md + - name: Audit system events + href: basic-audit-system-events.md + - name: Advanced security audit policies + href: advanced-security-auditing.md + items: + - name: Planning and deploying advanced security audit policies + href: planning-and-deploying-advanced-security-audit-policies.md + - name: Advanced security auditing FAQ + href: advanced-security-auditing-faq.yml + items: + - name: Which editions of Windows support advanced audit policy configuration + href: which-editions-of-windows-support-advanced-audit-policy-configuration.md + - name: How to list XML elements in \ + href: how-to-list-xml-elements-in-eventdata.md + - name: Using advanced security auditing options to monitor dynamic access control objects + href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md + items: + - name: Monitor the central access policies that apply on a file server + href: monitor-the-central-access-policies-that-apply-on-a-file-server.md + - name: Monitor the use of removable storage devices + href: monitor-the-use-of-removable-storage-devices.md + - name: Monitor resource attribute definitions + href: monitor-resource-attribute-definitions.md + - name: Monitor central access policy and rule definitions + href: monitor-central-access-policy-and-rule-definitions.md + - name: Monitor user and device claims during sign-in + href: monitor-user-and-device-claims-during-sign-in.md + - name: Monitor the resource attributes on files and folders + href: monitor-the-resource-attributes-on-files-and-folders.md + - name: Monitor the central access policies associated with files and folders + href: monitor-the-central-access-policies-associated-with-files-and-folders.md + - name: Monitor claim types + href: monitor-claim-types.md + - name: Advanced security audit policy settings + href: advanced-security-audit-policy-settings.md + items: + - name: Audit Credential Validation + href: audit-credential-validation.md + - name: "Event 4774 S, F: An account was mapped for logon." + href: event-4774.md + - name: "Event 4775 F: An account could not be mapped for logon." + href: event-4775.md + - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." + href: event-4776.md + - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." + href: event-4777.md + - name: Audit Kerberos Authentication Service + href: audit-kerberos-authentication-service.md + items: + - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." + href: event-4768.md + - name: "Event 4771 F: Kerberos pre-authentication failed." + href: event-4771.md + - name: "Event 4772 F: A Kerberos authentication ticket request failed." + href: event-4772.md + - name: Audit Kerberos Service Ticket Operations + href: audit-kerberos-service-ticket-operations.md + items: + - name: "Event 4769 S, F: A Kerberos service ticket was requested." + href: event-4769.md + - name: "Event 4770 S: A Kerberos service ticket was renewed." + href: event-4770.md + - name: "Event 4773 F: A Kerberos service ticket request failed." + href: event-4773.md + - name: Audit Other Account Logon Events + href: audit-other-account-logon-events.md + - name: Audit Application Group Management + href: audit-application-group-management.md + - name: Audit Computer Account Management + href: audit-computer-account-management.md + items: + - name: "Event 4741 S: A computer account was created." + href: event-4741.md + - name: "Event 4742 S: A computer account was changed." + href: event-4742.md + - name: "Event 4743 S: A computer account was deleted." + href: event-4743.md + - name: Audit Distribution Group Management + href: audit-distribution-group-management.md + items: + - name: "Event 4749 S: A security-disabled global group was created." + href: event-4749.md + - name: "Event 4750 S: A security-disabled global group was changed." + href: event-4750.md + - name: "Event 4751 S: A member was added to a security-disabled global group." + href: event-4751.md + - name: "Event 4752 S: A member was removed from a security-disabled global group." + href: event-4752.md + - name: "Event 4753 S: A security-disabled global group was deleted." + href: event-4753.md + - name: Audit Other Account Management Events + href: audit-other-account-management-events.md + items: + - name: "Event 4782 S: The password hash of an account was accessed." + href: event-4782.md + - name: "Event 4793 S: The Password Policy Checking API was called." + href: event-4793.md + - name: Audit Security Group Management + href: audit-security-group-management.md + items: + - name: "Event 4731 S: A security-enabled local group was created." + href: event-4731.md + - name: "Event 4732 S: A member was added to a security-enabled local group." + href: event-4732.md + - name: "Event 4733 S: A member was removed from a security-enabled local group." + href: event-4733.md + - name: "Event 4734 S: A security-enabled local group was deleted." + href: event-4734.md + - name: "Event 4735 S: A security-enabled local group was changed." + href: event-4735.md + - name: "Event 4764 S: A group�s type was changed." + href: event-4764.md + - name: "Event 4799 S: A security-enabled local group membership was enumerated." + href: event-4799.md + - name: Audit User Account Management + href: audit-user-account-management.md + items: + - name: "Event 4720 S: A user account was created." + href: event-4720.md + - name: "Event 4722 S: A user account was enabled." + href: event-4722.md + - name: "Event 4723 S, F: An attempt was made to change an account's password." + href: event-4723.md + - name: "Event 4724 S, F: An attempt was made to reset an account's password." + href: event-4724.md + - name: "Event 4725 S: A user account was disabled." + href: event-4725.md + - name: "Event 4726 S: A user account was deleted." + href: event-4726.md + - name: "Event 4738 S: A user account was changed." + href: event-4738.md + - name: "Event 4740 S: A user account was locked out." + href: event-4740.md + - name: "Event 4765 S: SID History was added to an account." + href: event-4765.md + - name: "Event 4766 F: An attempt to add SID History to an account failed." + href: event-4766.md + - name: "Event 4767 S: A user account was unlocked." + href: event-4767.md + - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." + href: event-4780.md + - name: "Event 4781 S: The name of an account was changed." + href: event-4781.md + - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." + href: event-4794.md + - name: "Event 4798 S: A user's local group membership was enumerated." + href: event-4798.md + - name: "Event 5376 S: Credential Manager credentials were backed up." + href: event-5376.md + - name: "Event 5377 S: Credential Manager credentials were restored from a backup." + href: event-5377.md + - name: Audit DPAPI Activity + href: audit-dpapi-activity.md + items: + - name: "Event 4692 S, F: Backup of data protection master key was attempted." + href: event-4692.md + - name: "Event 4693 S, F: Recovery of data protection master key was attempted." + href: event-4693.md + - name: "Event 4694 S, F: Protection of auditable protected data was attempted." + href: event-4694.md + - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." + href: event-4695.md + - name: Audit PNP Activity + href: audit-pnp-activity.md + items: + - name: "Event 6416 S: A new external device was recognized by the System." + href: event-6416.md + - name: "Event 6419 S: A request was made to disable a device." + href: event-6419.md + - name: "Event 6420 S: A device was disabled." + href: event-6420.md + - name: "Event 6421 S: A request was made to enable a device." + href: event-6421.md + - name: "Event 6422 S: A device was enabled." + href: event-6422.md + - name: "Event 6423 S: The installation of this device is forbidden by system policy." + href: event-6423.md + - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." + href: event-6424.md + - name: Audit Process Creation + href: audit-process-creation.md + items: + - name: "Event 4688 S: A new process has been created." + href: event-4688.md + - name: "Event 4696 S: A primary token was assigned to process." + href: event-4696.md + - name: Audit Process Termination + href: audit-process-termination.md + items: + - name: "Event 4689 S: A process has exited." + href: event-4689.md + - name: Audit RPC Events + href: audit-rpc-events.md + items: + - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." + href: event-5712.md + - name: Audit Token Right Adjusted + href: audit-token-right-adjusted.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: event-4703.md + - name: Audit Detailed Directory Service Replication + href: audit-detailed-directory-service-replication.md + items: + - name: "Event 4928 S, F: An Active Directory replica source naming context was established." + href: event-4928.md + - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." + href: event-4929.md + - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." + href: event-4930.md + - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." + href: event-4931.md + - name: "Event 4934 S: Attributes of an Active Directory object were replicated." + href: event-4934.md + - name: "Event 4935 F: Replication failure begins." + href: event-4935.md + - name: "Event 4936 S: Replication failure ends." + href: event-4936.md + - name: "Event 4937 S: A lingering object was removed from a replica." + href: event-4937.md + - name: Audit Directory Service Access + href: audit-directory-service-access.md + items: + - name: "Event 4662 S, F: An operation was performed on an object." + href: event-4662.md + - name: "Event 4661 S, F: A handle to an object was requested." + href: event-4661.md + - name: Audit Directory Service Changes + href: audit-directory-service-changes.md + items: + - name: "Event 5136 S: A directory service object was modified." + href: event-5136.md + - name: "Event 5137 S: A directory service object was created." + href: event-5137.md + - name: "Event 5138 S: A directory service object was undeleted." + href: event-5138.md + - name: "Event 5139 S: A directory service object was moved." + href: event-5139.md + - name: "Event 5141 S: A directory service object was deleted." + href: event-5141.md + - name: Audit Directory Service Replication + href: audit-directory-service-replication.md + items: + - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." + href: event-4932.md + - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." + href: event-4933.md + - name: Audit Account Lockout + href: audit-account-lockout.md + items: + - name: "Event 4625 F: An account failed to log on." + href: event-4625.md + - name: Audit User/Device Claims + href: audit-user-device-claims.md + items: + - name: "Event 4626 S: User/Device claims information." + href: event-4626.md + - name: Audit Group Membership + href: audit-group-membership.md + items: + - name: "Event 4627 S: Group membership information." + href: event-4627.md + - name: Audit IPsec Extended Mode + href: audit-ipsec-extended-mode.md + - name: Audit IPsec Main Mode + href: audit-ipsec-main-mode.md + - name: Audit IPsec Quick Mode + href: audit-ipsec-quick-mode.md + - name: Audit Logoff + href: audit-logoff.md + items: + - name: "Event 4634 S: An account was logged off." + href: event-4634.md + - name: "Event 4647 S: User initiated logoff." + href: event-4647.md + - name: Audit Logon + href: audit-logon.md + items: + - name: "Event 4624 S: An account was successfully logged on." + href: event-4624.md + - name: "Event 4625 F: An account failed to log on." + href: event-4625.md + - name: "Event 4648 S: A logon was attempted using explicit credentials." + href: event-4648.md + - name: "Event 4675 S: SIDs were filtered." + href: event-4675.md + - name: Audit Network Policy Server + href: audit-network-policy-server.md + - name: Audit Other Logon/Logoff Events + href: audit-other-logonlogoff-events.md + items: + - name: "Event 4649 S: A replay attack was detected." + href: event-4649.md + - name: "Event 4778 S: A session was reconnected to a Window Station." + href: event-4778.md + - name: "Event 4779 S: A session was disconnected from a Window Station." + href: event-4779.md + - name: "Event 4800 S: The workstation was locked." + href: event-4800.md + - name: "Event 4801 S: The workstation was unlocked." + href: event-4801.md + - name: "Event 4802 S: The screen saver was invoked." + href: event-4802.md + - name: "Event 4803 S: The screen saver was dismissed." + href: event-4803.md + - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." + href: event-5378.md + - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." + href: event-5632.md + - name: "Event 5633 S, F: A request was made to authenticate to a wired network." + href: event-5633.md + - name: Audit Special Logon + href: audit-special-logon.md + items: + - name: "Event 4964 S: Special groups have been assigned to a new logon." + href: event-4964.md + - name: "Event 4672 S: Special privileges assigned to new logon." + href: event-4672.md + - name: Audit Application Generated + href: audit-application-generated.md + - name: Audit Certification Services + href: audit-certification-services.md + - name: Audit Detailed File Share + href: audit-detailed-file-share.md + items: + - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." + href: event-5145.md + - name: Audit File Share + href: audit-file-share.md + items: + - name: "Event 5140 S, F: A network share object was accessed." + href: event-5140.md + - name: "Event 5142 S: A network share object was added." + href: event-5142.md + - name: "Event 5143 S: A network share object was modified." + href: event-5143.md + - name: "Event 5144 S: A network share object was deleted." + href: event-5144.md + - name: "Event 5168 F: SPN check for SMB/SMB2 failed." + href: event-5168.md + - name: Audit File System + href: audit-file-system.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: "Event 4664 S: An attempt was made to create a hard link." + href: event-4664.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: "Event 5051: A file was virtualized." + href: event-5051.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: Audit Filtering Platform Connection + href: audit-filtering-platform-connection.md + items: + - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." + href: event-5031.md + - name: "Event 5150: The Windows Filtering Platform blocked a packet." + href: event-5150.md + - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: event-5151.md + - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." + href: event-5154.md + - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." + href: event-5155.md + - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." + href: event-5156.md + - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." + href: event-5157.md + - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." + href: event-5158.md + - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." + href: event-5159.md + - name: Audit Filtering Platform Packet Drop + href: audit-filtering-platform-packet-drop.md + items: + - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." + href: event-5152.md + - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: event-5153.md + - name: Audit Handle Manipulation + href: audit-handle-manipulation.md + items: + - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." + href: event-4690.md + - name: Audit Kernel Object + href: audit-kernel-object.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: Audit Other Object Access Events + href: audit-other-object-access-events.md + items: + - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." + href: event-4671.md + - name: "Event 4691 S: Indirect access to an object was requested." + href: event-4691.md + - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." + href: event-5148.md + - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." + href: event-5149.md + - name: "Event 4698 S: A scheduled task was created." + href: event-4698.md + - name: "Event 4699 S: A scheduled task was deleted." + href: event-4699.md + - name: "Event 4700 S: A scheduled task was enabled." + href: event-4700.md + - name: "Event 4701 S: A scheduled task was disabled." + href: event-4701.md + - name: "Event 4702 S: A scheduled task was updated." + href: event-4702.md + - name: "Event 5888 S: An object in the COM+ Catalog was modified." + href: event-5888.md + - name: "Event 5889 S: An object was deleted from the COM+ Catalog." + href: event-5889.md + - name: "Event 5890 S: An object was added to the COM+ Catalog." + href: event-5890.md + - name: Audit Registry + href: audit-registry.md + items: + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4657 S: A registry value was modified." + href: event-4657.md + - name: "Event 5039: A registry key was virtualized." + href: event-5039.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: Audit Removable Storage + href: audit-removable-storage.md + - name: Audit SAM + href: audit-sam.md + items: + - name: "Event 4661 S, F: A handle to an object was requested." + href: event-4661.md + - name: Audit Central Access Policy Staging + href: audit-central-access-policy-staging.md + items: + - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." + href: event-4818.md + - name: Audit Audit Policy Change + href: audit-audit-policy-change.md + items: + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: "Event 4715 S: The audit policy, SACL, on an object was changed." + href: event-4715.md + - name: "Event 4719 S: System audit policy was changed." + href: event-4719.md + - name: "Event 4817 S: Auditing settings on object were changed." + href: event-4817.md + - name: "Event 4902 S: The Per-user audit policy table was created." + href: event-4902.md + - name: "Event 4906 S: The CrashOnAuditFail value has changed." + href: event-4906.md + - name: "Event 4907 S: Auditing settings on object were changed." + href: event-4907.md + - name: "Event 4908 S: Special Groups Logon table modified." + href: event-4908.md + - name: "Event 4912 S: Per User Audit Policy was changed." + href: event-4912.md + - name: "Event 4904 S: An attempt was made to register a security event source." + href: event-4904.md + - name: "Event 4905 S: An attempt was made to unregister a security event source." + href: event-4905.md + - name: Audit Authentication Policy Change + href: audit-authentication-policy-change.md + items: + - name: "Event 4706 S: A new trust was created to a domain." + href: event-4706.md + - name: "Event 4707 S: A trust to a domain was removed." + href: event-4707.md + - name: "Event 4716 S: Trusted domain information was modified." + href: event-4716.md + - name: "Event 4713 S: Kerberos policy was changed." + href: event-4713.md + - name: "Event 4717 S: System security access was granted to an account." + href: event-4717.md + - name: "Event 4718 S: System security access was removed from an account." + href: event-4718.md + - name: "Event 4739 S: Domain Policy was changed." + href: event-4739.md + - name: "Event 4864 S: A namespace collision was detected." + href: event-4864.md + - name: "Event 4865 S: A trusted forest information entry was added." + href: event-4865.md + - name: "Event 4866 S: A trusted forest information entry was removed." + href: event-4866.md + - name: "Event 4867 S: A trusted forest information entry was modified." + href: event-4867.md + - name: Audit Authorization Policy Change + href: audit-authorization-policy-change.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: event-4703.md + - name: "Event 4704 S: A user right was assigned." + href: event-4704.md + - name: "Event 4705 S: A user right was removed." + href: event-4705.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: "Event 4911 S: Resource attributes of the object were changed." + href: event-4911.md + - name: "Event 4913 S: Central Access Policy on the object was changed." + href: event-4913.md + - name: Audit Filtering Platform Policy Change + href: audit-filtering-platform-policy-change.md + - name: Audit MPSSVC Rule-Level Policy Change + href: audit-mpssvc-rule-level-policy-change.md + items: + - name: "Event 4944 S: The following policy was active when the Windows Firewall started." + href: event-4944.md + - name: "Event 4945 S: A rule was listed when the Windows Firewall started." + href: event-4945.md + - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." + href: event-4946.md + - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." + href: event-4947.md + - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." + href: event-4948.md + - name: "Event 4949 S: Windows Firewall settings were restored to the default values." + href: event-4949.md + - name: "Event 4950 S: A Windows Firewall setting has changed." + href: event-4950.md + - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." + href: event-4951.md + - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." + href: event-4952.md + - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." + href: event-4953.md + - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." + href: event-4954.md + - name: "Event 4956 S: Windows Firewall has changed the active profile." + href: event-4956.md + - name: "Event 4957 F: Windows Firewall did not apply the following rule." + href: event-4957.md + - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." + href: event-4958.md + - name: Audit Other Policy Change Events + href: audit-other-policy-change-events.md + items: + - name: "Event 4714 S: Encrypted data recovery policy was changed." + href: event-4714.md + - name: "Event 4819 S: Central Access Policies on the machine have been changed." + href: event-4819.md + - name: "Event 4826 S: Boot Configuration Data loaded." + href: event-4826.md + - name: "Event 4909: The local policy settings for the TBS were changed." + href: event-4909.md + - name: "Event 4910: The group policy settings for the TBS were changed." + href: event-4910.md + - name: "Event 5063 S, F: A cryptographic provider operation was attempted." + href: event-5063.md + - name: "Event 5064 S, F: A cryptographic context operation was attempted." + href: event-5064.md + - name: "Event 5065 S, F: A cryptographic context modification was attempted." + href: event-5065.md + - name: "Event 5066 S, F: A cryptographic function operation was attempted." + href: event-5066.md + - name: "Event 5067 S, F: A cryptographic function modification was attempted." + href: event-5067.md + - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." + href: event-5068.md + - name: "Event 5069 S, F: A cryptographic function property operation was attempted." + href: event-5069.md + - name: "Event 5070 S, F: A cryptographic function property modification was attempted." + href: event-5070.md + - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." + href: event-5447.md + - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." + href: event-6144.md + - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." + href: event-6145.md + - name: Audit Sensitive Privilege Use + href: audit-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit Non Sensitive Privilege Use + href: audit-non-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit Other Privilege Use Events + href: audit-other-privilege-use-events.md + items: + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit IPsec Driver + href: audit-ipsec-driver.md + - name: Audit Other System Events + href: audit-other-system-events.md + items: + - name: "Event 5024 S: The Windows Firewall Service has started successfully." + href: event-5024.md + - name: "Event 5025 S: The Windows Firewall Service has been stopped." + href: event-5025.md + - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." + href: event-5027.md + - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." + href: event-5028.md + - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." + href: event-5029.md + - name: "Event 5030 F: The Windows Firewall Service failed to start." + href: event-5030.md + - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." + href: event-5032.md + - name: "Event 5033 S: The Windows Firewall Driver has started successfully." + href: event-5033.md + - name: "Event 5034 S: The Windows Firewall Driver was stopped." + href: event-5034.md + - name: "Event 5035 F: The Windows Firewall Driver failed to start." + href: event-5035.md + - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." + href: event-5037.md + - name: "Event 5058 S, F: Key file operation." + href: event-5058.md + - name: "Event 5059 S, F: Key migration operation." + href: event-5059.md + - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." + href: event-6400.md + - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." + href: event-6401.md + - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." + href: event-6402.md + - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." + href: event-6403.md + - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." + href: event-6404.md + - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." + href: event-6405.md + - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." + href: event-6406.md + - name: "Event 6407: 1%." + href: event-6407.md + - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." + href: event-6408.md + - name: "Event 6409: BranchCache: A service connection point object could not be parsed." + href: event-6409.md + - name: Audit Security State Change + href: audit-security-state-change.md + items: + - name: "Event 4608 S: Windows is starting up." + href: event-4608.md + - name: "Event 4616 S: The system time was changed." + href: event-4616.md + - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." + href: event-4621.md + - name: Audit Security System Extension + href: audit-security-system-extension.md + items: + - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." + href: event-4610.md + - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." + href: event-4611.md + - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." + href: event-4614.md + - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." + href: event-4622.md + - name: "Event 4697 S: A service was installed in the system." + href: event-4697.md + - name: Audit System Integrity + href: audit-system-integrity.md + items: + - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." + href: event-4612.md + - name: "Event 4615 S: Invalid use of LPC port." + href: event-4615.md + - name: "Event 4618 S: A monitored security event pattern has occurred." + href: event-4618.md + - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." + href: event-4816.md + - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." + href: event-5038.md + - name: "Event 5056 S: A cryptographic self-test was performed." + href: event-5056.md + - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." + href: event-5062.md + - name: "Event 5057 F: A cryptographic primitive operation failed." + href: event-5057.md + - name: "Event 5060 F: Verification operation failed." + href: event-5060.md + - name: "Event 5061 S, F: Cryptographic operation." + href: event-5061.md + - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." + href: event-6281.md + - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." + href: event-6410.md + - name: Other Events + href: other-events.md + items: + - name: "Event 1100 S: The event logging service has shut down." + href: event-1100.md + - name: "Event 1102 S: The audit log was cleared." + href: event-1102.md + - name: "Event 1104 S: The security log is now full." + href: event-1104.md + - name: "Event 1105 S: Event log automatic backup." + href: event-1105.md + - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." + href: event-1108.md + - name: "Appendix A: Security monitoring recommendations for many audit events" + href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md + - name: Registry (Global Object Access Auditing) + href: registry-global-object-access-auditing.md + - name: File System (Global Object Access Auditing) + href: file-system-global-object-access-auditing.md + - name: Windows security + href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index c1ffec9b59..3fff0198ed 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -13,7 +13,7 @@ author: dansimp ms.author: dansimp ms.date: 08/14/2017 ms.localizationpriority: medium -ms.technology: mde +ms.technology: other --- # Block untrusted fonts in an enterprise diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 9b2b985db5..fc40dc48df 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -10,7 +10,7 @@ ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.reviewer: -ms.technology: mde +ms.technology: other --- # FIPS 140-2 Validation @@ -6780,7 +6780,7 @@ Version 6.3.9600 #### SP 800-132 Password-Based Key Derivation Function (PBKDF) - +
Modes / States / Key Sizes diff --git a/windows/security/threat-protection/images/simplified-sdl.png b/windows/security/threat-protection/images/simplified-sdl.png new file mode 100644 index 0000000000..97c7448b8c Binary files /dev/null and b/windows/security/threat-protection/images/simplified-sdl.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index f299d99657..7baa36b1a0 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,149 +1,51 @@ --- -title: Threat Protection (Windows 10) -description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection +title: Windows threat protection +description: Describes the security capabilities in Windows client focused on threat protection +keywords: threat protection, Microsoft Defender Antivirus, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: dansimp +author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.technology: mde +ms.technology: windows-sec --- -# Threat Protection +# Windows threat protection **Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) -- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) +- Windows 10 +- Windows 11 -[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. +In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud. -**Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) +## Windows threat protection -> [!TIP] -> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](/enterprise-mobility-security/remote-work/). +See the following articles to learn more about the different areas of Windows threat protection: -

Microsoft Defender for Endpoint

- - - - - - - - - - - - - - - -
threat and vulnerability icon
Threat & vulnerability management
attack surface reduction icon
Attack surface reduction
next generation protection icon
Next-generation protection
endpoint detection and response icon
Endpoint detection and response
automated investigation and remediation icon
Automated investigation and remediation
microsoft threat experts icon
Microsoft Threat Experts
-
Centralized configuration and administration, APIs
Microsoft 365 Defender
-
- - - - ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] - -**[Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. - -- [Threat & vulnerability management overview](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) -- [Get started](/microsoft-365/security/defender-endpoint/tvm-prerequisites) -- [Access your security posture](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights) -- [Improve your security posture and reduce risk](/microsoft-365/security/defender-endpoint/tvm-security-recommendation) -- [Understand vulnerabilities on your devices](/microsoft-365/security/defender-endpoint/tvm-software-inventory) - - - -**[Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. - -- [Hardware based isolation](/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation) -- [Application control](windows-defender-application-control/windows-defender-application-control.md) -- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +- [Microsoft Defender Application Guard](\windows\security\threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md) +- [Virtualization-based protection of code integrity](\windows\security\threat-protection\device-guard\enable-virtualization-based-protection-of-code-integrity.md) +- [Application control](/windows-defender-application-control/windows-defender-application-control.md) +- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) - [Network protection](/microsoft-365/security/defender-endpoint/network-protection), [web protection](/microsoft-365/security/defender-endpoint/web-protection-overview) +- [Microsoft Defender SmartScreen](\windows\security\threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-overview.md) - [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) +- [Windows Sandbox](\windows\security\threat-protection\windows-sandbox\windows-sandbox-overview.md) - - -**[Next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. +### Next-generation protection +Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. - [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) - [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus) - [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus) - [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) -- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) - - - -**[Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections. - -- [Alerts](/microsoft-365/security/defender-endpoint/alerts-queue) -- [Historical endpoint data](/microsoft-365/security/defender-endpoint/investigate-machines#timeline) -- [Response orchestration](/microsoft-365/security/defender-endpoint/respond-machine-alerts) -- [Forensic collection](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) -- [Threat intelligence](/microsoft-365/security/defender-endpoint/threat-indicator-concepts) -- [Advanced detonation and analysis service](/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis) -- [Advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview) - - [Custom detections](/microsoft-365/security/defender-endpoint/overview-custom-detections) - - - -**[Automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)**
-In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - -- [Get an overview of automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations) -- [Learn about automation levels](/microsoft-365/security/defender-endpoint/automation-levels) -- [Configure automated investigation and remediation in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation) -- [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center) -- [Review remediation actions following an automated investigation](/microsoft-365/security/defender-endpoint/manage-auto-investigation) - - - -**[Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
-Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - -- [Targeted attack notification](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) -- [Experts-on-demand](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) -- [Configure your Microsoft 365 Defender managed hunting service](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts) - - - -**[Centralized configuration and administration, APIs](/microsoft-365/security/defender-endpoint/management-apis)**
-Integrate Microsoft Defender for Endpoint into your existing workflows. -- [Onboarding](/microsoft-365/security/defender-endpoint/onboard-configure) -- [API and SIEM integration](/microsoft-365/security/defender-endpoint/configure-siem) -- [Exposed APIs](/microsoft-365/security/defender-endpoint/apis-intro) -- [Role-based access control (RBAC)](/microsoft-365/security/defender-endpoint/rbac) -- [Reporting and trends](/microsoft-365/security/defender-endpoint/threat-protection-reports) - - -**[Integration with Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration)**
- Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including: -- Intune -- Microsoft Defender for Office 365 -- Microsoft Defender for Identity -- Azure Defender -- Skype for Business -- Microsoft Cloud App Security - - -**[Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. \ No newline at end of file +- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml deleted file mode 100644 index 78fea4eba3..0000000000 --- a/windows/security/threat-protection/intelligence/TOC.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: Security intelligence - href: index.md - items: - - name: Understand malware & other threats - href: understanding-malware.md - items: - - name: Coin miners - href: coinminer-malware.md - - name: Exploits and exploit kits - href: exploits-malware.md - - name: Fileless threats - href: fileless-threats.md - - name: Macro malware - href: macro-malware.md - - name: Phishing attacks - href: phishing.md - items: - - name: Phishing trends and techniques - href: phishing-trends.md - - name: Ransomware - href: /security/compass/human-operated-ransomware - - name: Rootkits - href: rootkits-malware.md - - name: Supply chain attacks - href: supply-chain-malware.md - - name: Tech support scams - href: support-scams.md - - name: Trojans - href: trojans-malware.md - - name: Unwanted software - href: unwanted-software.md - - name: Worms - href: worms-malware.md - - name: Prevent malware infection - href: prevent-malware-infection.md - - name: Malware naming convention - href: malware-naming.md - - name: How Microsoft identifies malware and PUA - href: criteria.md - - name: Submit files for analysis - href: submission-guide.md - - name: Troubleshoot malware submission - href: portal-submission-troubleshooting.md - - name: Safety Scanner download - href: safety-scanner-download.md - - name: Industry collaboration programs - href: cybersecurity-industry-partners.md - items: - - name: Virus information alliance - href: virus-information-alliance-criteria.md - - name: Microsoft virus initiative - href: virus-initiative-criteria.md - - name: Coordinated malware eradication - href: coordinated-malware-eradication.md - - name: Information for developers - items: - - name: Software developer FAQ - href: developer-faq.yml - - name: Software developer resources - href: developer-resources.md diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 83a6f5e00b..a12edb4f83 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -9,7 +9,7 @@ ms.author: dansimp author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: other --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/threat-protection/microsoft-bug-bounty-program.md b/windows/security/threat-protection/microsoft-bug-bounty-program.md new file mode 100644 index 0000000000..7dcc6cdd7f --- /dev/null +++ b/windows/security/threat-protection/microsoft-bug-bounty-program.md @@ -0,0 +1,22 @@ +--- +title: About the Microsoft Bug Bounty Program +description: If you are a security researcher, you can get a reward for reporting a vulnerability in a Microsoft product, service, or device. +ms.prod: m365-security +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.reviewer: +ms.technology: other +--- + +# About the Microsoft Bug Bounty Program + +Are you a security researcher? Did you find a vulnerability in a Microsoft product, service, or device? If so, we want to hear from you! + +If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions. + +Visit the [Microsoft Bug Bounty Program site](https://www.microsoft.com/en-us/msrc/bounty?rtc=1) for all the details! \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml index ee887e168a..e235cf65ec 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml @@ -3,13 +3,16 @@ items: - name: System requirements href: reqs-md-app-guard.md - - name: Install WDAG + - name: Install Application Guard href: install-md-app-guard.md - - name: Configure WDAG policies + - name: Configure Application Guard policies href: configure-md-app-guard.md - name: Test scenarios href: test-scenarios-md-app-guard.md - name: Microsoft Defender Application Guard Extension href: md-app-guard-browser-extension.md - - name: FAQ + - name: Application Guard FAQ href: faq-md-app-guard.yml +- name: Windows security + href: /windows/security/ + diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 41284661d3..d3480738e7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) +title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows) description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. ms.prod: m365-security ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 09/16/2021 +ms.date: 09/20/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain. @@ -52,13 +53,13 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| -|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher

Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 9ad53a26f5..a34c5d900d 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 07/23/2021 + ms.date: 09/30/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -171,11 +171,6 @@ sections: 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - - question: | - Why can I not launch Application Guard when Exploit Guard is enabled? - answer: | - There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - - question: | How can I disable portions of ICS without breaking Application Guard? answer: | @@ -217,6 +212,16 @@ sections: Policy: Allow installation of devices using drivers that match these device setup classes - `{71a27cdd-812a-11d0-bec7-08002be2092f}` + - question: | + I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this? + answer: | + WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps: + + 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`. + + 2. Reboot the device. + + additionalContent: | ## See also diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 3b18ab25d3..c16ce0700e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Enable hardware-based isolation for Microsoft Edge (Windows 10) +title: Enable hardware-based isolation for Microsoft Edge (Windows) description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. ms.prod: m365-security ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/21/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # Prepare to install Microsoft Defender Application Guard **Applies to:** -- - Windows 10 + +- Windows 10 +- Windows 11 ## Review system requirements @@ -34,6 +36,7 @@ Before you can install and use Microsoft Defender Application Guard, you must de Applies to: - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Pro edition, version 1803 +- Windows 11 Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario. @@ -41,6 +44,7 @@ Employees can use hardware-isolated browsing sessions without any administrator Applies to: - Windows 10 Enterprise edition, version 1709 or higher +- Windows 11 You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. @@ -66,7 +70,7 @@ Application Guard functionality is turned off by default. However, you can quick >[!NOTE] >Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only. -1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. +1. Click the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**. 2. Right-click **Windows PowerShell**, and then click **Run as administrator**. @@ -120,4 +124,4 @@ Application Guard functionality is turned off by default. However, you can quick 1. Click **Save**. -After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. \ No newline at end of file +After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index d507e47abf..90f1d07fca 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: martyav ms.author: v-maave -ms.date: 06/12/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -20,10 +20,11 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 [Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). -[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. +[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. > [!TIP] > Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them. @@ -37,6 +38,7 @@ Microsoft Defender Application Guard Extension works with the following editions - Windows 10 Professional - Windows 10 Enterprise - Windows 10 Education +- Windows 11 Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 4ad66674a9..640f7eae00 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,5 +1,5 @@ --- -title: Microsoft Defender Application Guard (Windows 10) +title: Microsoft Defender Application Guard (Windows 10 or Windows 11) description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. ms.prod: m365-security ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 01/27/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # Microsoft Defender Application Guard overview **Applies to** + - Windows 10 +- Windows 11 Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. @@ -54,4 +56,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| -|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| \ No newline at end of file +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index fb162b5632..b429e0e44f 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 07/01/2021 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -18,7 +18,9 @@ ms.technology: mde # System requirements for Microsoft Defender Application Guard **Applies to** + - Windows 10 +- Windows 11 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -43,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions.
Windows 11 | | Browser | Microsoft Edge | | Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index d8ff39f397..292813b7c0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) +title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11) description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.prod: m365-security ms.mktglfcycl: manage @@ -10,7 +10,7 @@ author: denisebmsft ms.author: deniseb ms.reviewer: manager: dansimp -ms.date: 09/14/2020 +ms.date: 09/09/2021 ms.custom: asr ms.technology: mde --- @@ -20,6 +20,7 @@ ms.technology: mde **Applies to:** - Windows 10 +- Windows 11 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. @@ -50,7 +51,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard -Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. +Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings. 1. [Install Application Guard](./install-md-app-guard.md#install-application-guard). @@ -111,6 +112,7 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 +- Windows 11 #### Copy and paste options @@ -169,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris The previously added site should still appear in your **Favorites** list. > [!NOTE] - > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10. + > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11. > > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. > @@ -179,6 +181,7 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 +- Windows 11 #### Download options @@ -210,12 +213,13 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 +- Windows 11 #### File trust options 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting. -2. Click **Enabled**, set **Options** to 2, and click **OK**. +2. Click **Enabled**, set **Options** to **2**, and click **OK**. ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md new file mode 100644 index 0000000000..c16994d574 --- /dev/null +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -0,0 +1,31 @@ +--- +title: Microsoft Security Development Lifecycle +description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development. +ms.prod: m365-security +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.reviewer: +ms.technology: other +--- + +# Microsoft Security Development Lifecycle + +The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. + +[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl) + +Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. + +The Microsoft SDL is based on three core concepts: +- Education +- Continuous process improvement +- Accountability + +To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl). + +And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://go.microsoft.com/?linkid=9708425). \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml new file mode 100644 index 0000000000..1ddc477ef1 --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -0,0 +1,351 @@ + - name: Security policy settings + href: security-policy-settings.md + items: + - name: Administer security policy settings + href: administer-security-policy-settings.md + items: + - name: Network List Manager policies + href: network-list-manager-policies.md + - name: Configure security policy settings + href: how-to-configure-security-policy-settings.md + - name: Security policy settings reference + href: security-policy-settings-reference.md + items: + - name: Account Policies + href: account-policies.md + items: + - name: Password Policy + href: password-policy.md + items: + - name: Enforce password history + href: enforce-password-history.md + - name: Maximum password age + href: maximum-password-age.md + - name: Minimum password age + href: minimum-password-age.md + - name: Minimum password length + href: minimum-password-length.md + - name: Password must meet complexity requirements + href: password-must-meet-complexity-requirements.md + - name: Store passwords using reversible encryption + href: store-passwords-using-reversible-encryption.md + - name: Account Lockout Policy + href: account-lockout-policy.md + items: + - name: Account lockout duration + href: account-lockout-duration.md + - name: Account lockout threshold + href: account-lockout-threshold.md + - name: Reset account lockout counter after + href: reset-account-lockout-counter-after.md + - name: Kerberos Policy + href: kerberos-policy.md + items: + - name: Enforce user logon restrictions + href: enforce-user-logon-restrictions.md + - name: Maximum lifetime for service ticket + href: maximum-lifetime-for-service-ticket.md + - name: Maximum lifetime for user ticket + href: maximum-lifetime-for-user-ticket.md + - name: Maximum lifetime for user ticket renewal + href: maximum-lifetime-for-user-ticket-renewal.md + - name: Maximum tolerance for computer clock synchronization + href: maximum-tolerance-for-computer-clock-synchronization.md + - name: Audit Policy + href: audit-policy.md + - name: Security Options + href: security-options.md + items: + - name: "Accounts: Administrator account status" + href: accounts-administrator-account-status.md + - name: "Accounts: Block Microsoft accounts" + href: accounts-block-microsoft-accounts.md + - name: "Accounts: Guest account status" + href: accounts-guest-account-status.md + - name: "Accounts: Limit local account use of blank passwords to console logon only" + href: accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md + - name: "Accounts: Rename administrator account" + href: accounts-rename-administrator-account.md + - name: "Accounts: Rename guest account" + href: accounts-rename-guest-account.md + - name: "Audit: Audit the access of global system objects" + href: audit-audit-the-access-of-global-system-objects.md + - name: "Audit: Audit the use of Backup and Restore privilege" + href: audit-audit-the-use-of-backup-and-restore-privilege.md + - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + href: audit-force-audit-policy-subcategory-settings-to-override.md + - name: "Audit: Shut down system immediately if unable to log security audits" + href: audit-shut-down-system-immediately-if-unable-to-log-security-audits.md + - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "Devices: Allow undock without having to log on" + href: devices-allow-undock-without-having-to-log-on.md + - name: "Devices: Allowed to format and eject removable media" + href: devices-allowed-to-format-and-eject-removable-media.md + - name: "Devices: Prevent users from installing printer drivers" + href: devices-prevent-users-from-installing-printer-drivers.md + - name: "Devices: Restrict CD-ROM access to locally logged-on user only" + href: devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md + - name: "Devices: Restrict floppy access to locally logged-on user only" + href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md + - name: "Domain controller: Allow server operators to schedule tasks" + href: domain-controller-allow-server-operators-to-schedule-tasks.md + - name: "Domain controller: LDAP server signing requirements" + href: domain-controller-ldap-server-signing-requirements.md + - name: "Domain controller: Refuse machine account password changes" + href: domain-controller-refuse-machine-account-password-changes.md + - name: "Domain member: Digitally encrypt or sign secure channel data (always)" + href: domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md + - name: "Domain member: Digitally encrypt secure channel data (when possible)" + href: domain-member-digitally-encrypt-secure-channel-data-when-possible.md + - name: "Domain member: Digitally sign secure channel data (when possible)" + href: domain-member-digitally-sign-secure-channel-data-when-possible.md + - name: "Domain member: Disable machine account password changes" + href: domain-member-disable-machine-account-password-changes.md + - name: "Domain member: Maximum machine account password age" + href: domain-member-maximum-machine-account-password-age.md + - name: "Domain member: Require strong (Windows 2000 or later) session key" + href: domain-member-require-strong-windows-2000-or-later-session-key.md + - name: "Interactive logon: Display user information when the session is locked" + href: interactive-logon-display-user-information-when-the-session-is-locked.md + - name: "Interactive logon: Don't display last signed-in" + href: interactive-logon-do-not-display-last-user-name.md + - name: "Interactive logon: Don't display username at sign-in" + href: interactive-logon-dont-display-username-at-sign-in.md + - name: "Interactive logon: Do not require CTRL+ALT+DEL" + href: interactive-logon-do-not-require-ctrl-alt-del.md + - name: "Interactive logon: Machine account lockout threshold" + href: interactive-logon-machine-account-lockout-threshold.md + - name: "Interactive logon: Machine inactivity limit" + href: interactive-logon-machine-inactivity-limit.md + - name: "Interactive logon: Message text for users attempting to log on" + href: interactive-logon-message-text-for-users-attempting-to-log-on.md + - name: "Interactive logon: Message title for users attempting to log on" + href: interactive-logon-message-title-for-users-attempting-to-log-on.md + - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" + href: interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md + - name: "Interactive logon: Prompt user to change password before expiration" + href: interactive-logon-prompt-user-to-change-password-before-expiration.md + - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" + href: interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md + - name: "Interactive logon: Require smart card" + href: interactive-logon-require-smart-card.md + - name: "Interactive logon: Smart card removal behavior" + href: interactive-logon-smart-card-removal-behavior.md + - name: "Microsoft network client: Digitally sign communications (always)" + href: microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" + href: smbv1-microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" + href: smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md + - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" + href: microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md + - name: "Microsoft network server: Amount of idle time required before suspending session" + href: microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md + - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" + href: microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md + - name: "Microsoft network server: Digitally sign communications (always)" + href: microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" + href: smbv1-microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" + href: smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md + - name: "Microsoft network server: Disconnect clients when logon hours expire" + href: microsoft-network-server-disconnect-clients-when-logon-hours-expire.md + - name: "Microsoft network server: Server SPN target name validation level" + href: microsoft-network-server-server-spn-target-name-validation-level.md + - name: "Network access: Allow anonymous SID/Name translation" + href: network-access-allow-anonymous-sidname-translation.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts" + href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" + href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md + - name: "Network access: Do not allow storage of passwords and credentials for network authentication" + href: network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md + - name: "Network access: Let Everyone permissions apply to anonymous users" + href: network-access-let-everyone-permissions-apply-to-anonymous-users.md + - name: "Network access: Named Pipes that can be accessed anonymously" + href: network-access-named-pipes-that-can-be-accessed-anonymously.md + - name: "Network access: Remotely accessible registry paths" + href: network-access-remotely-accessible-registry-paths.md + - name: "Network access: Remotely accessible registry paths and subpaths" + href: network-access-remotely-accessible-registry-paths-and-subpaths.md + - name: "Network access: Restrict anonymous access to Named Pipes and Shares" + href: network-access-restrict-anonymous-access-to-named-pipes-and-shares.md + - name: "Network access: Restrict clients allowed to make remote calls to SAM" + href: network-access-restrict-clients-allowed-to-make-remote-sam-calls.md + - name: "Network access: Shares that can be accessed anonymously" + href: network-access-shares-that-can-be-accessed-anonymously.md + - name: "Network access: Sharing and security model for local accounts" + href: network-access-sharing-and-security-model-for-local-accounts.md + - name: "Network security: Allow Local System to use computer identity for NTLM" + href: network-security-allow-local-system-to-use-computer-identity-for-ntlm.md + - name: "Network security: Allow LocalSystem NULL session fallback" + href: network-security-allow-localsystem-null-session-fallback.md + - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" + href: network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md + - name: "Network security: Configure encryption types allowed for Kerberos" + href: network-security-configure-encryption-types-allowed-for-kerberos.md + - name: "Network security: Do not store LAN Manager hash value on next password change" + href: network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md + - name: "Network security: Force logoff when logon hours expire" + href: network-security-force-logoff-when-logon-hours-expire.md + - name: "Network security: LAN Manager authentication level" + href: network-security-lan-manager-authentication-level.md + - name: "Network security: LDAP client signing requirements" + href: network-security-ldap-client-signing-requirements.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md + - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" + href: network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md + - name: "Network security: Restrict NTLM: Add server exceptions in this domain" + href: network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md + - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" + href: network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" + href: network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Incoming NTLM traffic" + href: network-security-restrict-ntlm-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: NTLM authentication in this domain" + href: network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" + href: network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md + - name: "Recovery console: Allow automatic administrative logon" + href: recovery-console-allow-automatic-administrative-logon.md + - name: "Recovery console: Allow floppy copy and access to all drives and folders" + href: recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md + - name: "Shutdown: Allow system to be shut down without having to log on" + href: shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md + - name: "Shutdown: Clear virtual memory pagefile" + href: shutdown-clear-virtual-memory-pagefile.md + - name: "System cryptography: Force strong key protection for user keys stored on the computer" + href: system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md + - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" + href: system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md + - name: "System objects: Require case insensitivity for non-Windows subsystems" + href: system-objects-require-case-insensitivity-for-non-windows-subsystems.md + - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" + href: system-objects-strengthen-default-permissions-of-internal-system-objects.md + - name: "System settings: Optional subsystems" + href: system-settings-optional-subsystems.md + - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" + href: system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md + - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" + href: user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md + - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + href: user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md + - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + href: user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md + - name: "User Account Control: Behavior of the elevation prompt for standard users" + href: user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md + - name: "User Account Control: Detect application installations and prompt for elevation" + href: user-account-control-detect-application-installations-and-prompt-for-elevation.md + - name: "User Account Control: Only elevate executables that are signed and validated" + href: user-account-control-only-elevate-executables-that-are-signed-and-validated.md + - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" + href: user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md + - name: "User Account Control: Run all administrators in Admin Approval Mode" + href: user-account-control-run-all-administrators-in-admin-approval-mode.md + - name: "User Account Control: Switch to the secure desktop when prompting for elevation" + href: user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md + - name: "User Account Control: Virtualize file and registry write failures to per-user locations" + href: user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md + - name: Advanced security audit policy settings + href: secpol-advanced-security-audit-policy-settings.md + - name: User Rights Assignment + href: user-rights-assignment.md + items: + - name: Access Credential Manager as a trusted caller + href: access-credential-manager-as-a-trusted-caller.md + - name: Access this computer from the network + href: access-this-computer-from-the-network.md + - name: Act as part of the operating system + href: act-as-part-of-the-operating-system.md + - name: Add workstations to domain + href: add-workstations-to-domain.md + - name: Adjust memory quotas for a process + href: adjust-memory-quotas-for-a-process.md + - name: Allow log on locally + href: allow-log-on-locally.md + - name: Allow log on through Remote Desktop Services + href: allow-log-on-through-remote-desktop-services.md + - name: Back up files and directories + href: back-up-files-and-directories.md + - name: Bypass traverse checking + href: bypass-traverse-checking.md + - name: Change the system time + href: change-the-system-time.md + - name: Change the time zone + href: change-the-time-zone.md + - name: Create a pagefile + href: create-a-pagefile.md + - name: Create a token object + href: create-a-token-object.md + - name: Create global objects + href: create-global-objects.md + - name: Create permanent shared objects + href: create-permanent-shared-objects.md + - name: Create symbolic links + href: create-symbolic-links.md + - name: Debug programs + href: debug-programs.md + - name: Deny access to this computer from the network + href: deny-access-to-this-computer-from-the-network.md + - name: Deny log on as a batch job + href: deny-log-on-as-a-batch-job.md + - name: Deny log on as a service + href: deny-log-on-as-a-service.md + - name: Deny log on locally + href: deny-log-on-locally.md + - name: Deny log on through Remote Desktop Services + href: deny-log-on-through-remote-desktop-services.md + - name: Enable computer and user accounts to be trusted for delegation + href: enable-computer-and-user-accounts-to-be-trusted-for-delegation.md + - name: Force shutdown from a remote system + href: force-shutdown-from-a-remote-system.md + - name: Generate security audits + href: generate-security-audits.md + - name: Impersonate a client after authentication + href: impersonate-a-client-after-authentication.md + - name: Increase a process working set + href: increase-a-process-working-set.md + - name: Increase scheduling priority + href: increase-scheduling-priority.md + - name: Load and unload device drivers + href: load-and-unload-device-drivers.md + - name: Lock pages in memory + href: lock-pages-in-memory.md + - name: Log on as a batch job + href: log-on-as-a-batch-job.md + - name: Log on as a service + href: log-on-as-a-service.md + - name: Manage auditing and security log + href: manage-auditing-and-security-log.md + - name: Modify an object label + href: modify-an-object-label.md + - name: Modify firmware environment values + href: modify-firmware-environment-values.md + - name: Perform volume maintenance tasks + href: perform-volume-maintenance-tasks.md + - name: Profile single process + href: profile-single-process.md + - name: Profile system performance + href: profile-system-performance.md + - name: Remove computer from docking station + href: remove-computer-from-docking-station.md + - name: Replace a process level token + href: replace-a-process-level-token.md + - name: Restore files and directories + href: restore-files-and-directories.md + - name: Shut down the system + href: shut-down-the-system.md + - name: Synchronize directory service data + href: synchronize-directory-service-data.md + - name: Take ownership of files or other objects + href: take-ownership-of-files-or-other-objects.md + - name: Windows security + href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 9c23deaecd..1fd7837df9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows 11 >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows in S mode devices. diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2a9d13497a..6e2bbdd64b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -1,5 +1,8 @@ - name: Application Control for Windows + href: index.yml +- name: About application control for Windows href: windows-defender-application-control.md + expanded: true items: - name: WDAC and AppLocker Overview href: wdac-and-applocker-overview.md @@ -292,3 +295,6 @@ href: applocker\using-event-viewer-with-applocker.md - name: AppLocker Settings href: applocker\applocker-settings.md +- name: Windows security + href: /windows/security/ + diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 5d98c29cbb..f200b445bc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows Server 2016 and later > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml deleted file mode 100644 index b796c0e95e..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: AppLocker - href: applocker-overview.md - items: - - name: Administer AppLocker - href: administer-applocker.md - items: - - name: Maintain AppLocker policies - href: maintain-applocker-policies.md - - name: Edit an AppLocker policy - href: edit-an-applocker-policy.md - - name: Test and update an AppLocker policy - href: test-and-update-an-applocker-policy.md - - name: Deploy AppLocker policies by using the enforce rules setting - href: deploy-applocker-policies-by-using-the-enforce-rules-setting.md - - name: Use the AppLocker Windows PowerShell cmdlets - href: use-the-applocker-windows-powershell-cmdlets.md - - name: Use AppLocker and Software Restriction Policies in the same domain - href: use-applocker-and-software-restriction-policies-in-the-same-domain.md - - name: Optimize AppLocker performance - href: optimize-applocker-performance.md - - name: Monitor app usage with AppLocker - href: monitor-application-usage-with-applocker.md - - name: Manage packaged apps with AppLocker - href: manage-packaged-apps-with-applocker.md - - name: Working with AppLocker rules - href: working-with-applocker-rules.md - items: - - name: Create a rule that uses a file hash condition - href: create-a-rule-that-uses-a-file-hash-condition.md - - name: Create a rule that uses a path condition - href: create-a-rule-that-uses-a-path-condition.md - - name: Create a rule that uses a publisher condition - href: create-a-rule-that-uses-a-publisher-condition.md - - name: Create AppLocker default rules - href: create-applocker-default-rules.md - - name: Add exceptions for an AppLocker rule - href: configure-exceptions-for-an-applocker-rule.md - - name: Create a rule for packaged apps - href: create-a-rule-for-packaged-apps.md - - name: Delete an AppLocker rule - href: delete-an-applocker-rule.md - - name: Edit AppLocker rules - href: edit-applocker-rules.md - - name: Enable the DLL rule collection - href: enable-the-dll-rule-collection.md - - name: Enforce AppLocker rules - href: enforce-applocker-rules.md - - name: Run the Automatically Generate Rules wizard - href: run-the-automatically-generate-rules-wizard.md - - name: Working with AppLocker policies - href: working-with-applocker-policies.md - items: - - name: Configure the Application Identity service - href: configure-the-application-identity-service.md - - name: Configure an AppLocker policy for audit only - href: configure-an-applocker-policy-for-audit-only.md - - name: Configure an AppLocker policy for enforce rules - href: configure-an-applocker-policy-for-enforce-rules.md - - name: Display a custom URL message when users try to run a blocked app - href: display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md - - name: Export an AppLocker policy from a GPO - href: export-an-applocker-policy-from-a-gpo.md - - name: Export an AppLocker policy to an XML file - href: export-an-applocker-policy-to-an-xml-file.md - - name: Import an AppLocker policy from another computer - href: import-an-applocker-policy-from-another-computer.md - - name: Import an AppLocker policy into a GPO - href: import-an-applocker-policy-into-a-gpo.md - - name: Add rules for packaged apps to existing AppLocker rule-set - href: add-rules-for-packaged-apps-to-existing-applocker-rule-set.md - - name: Merge AppLocker policies by using Set-ApplockerPolicy - href: merge-applocker-policies-by-using-set-applockerpolicy.md - - name: Merge AppLocker policies manually - href: merge-applocker-policies-manually.md - - name: Refresh an AppLocker policy - href: refresh-an-applocker-policy.md - - name: Test an AppLocker policy by using Test-AppLockerPolicy - href: test-an-applocker-policy-by-using-test-applockerpolicy.md - - name: AppLocker design guide - href: applocker-policies-design-guide.md - items: - - name: Understand AppLocker policy design decisions - href: understand-applocker-policy-design-decisions.md - - name: Determine your application control objectives - href: determine-your-application-control-objectives.md - - name: Create a list of apps deployed to each business group - href: create-list-of-applications-deployed-to-each-business-group.md - items: - - name: Document your app list - href: document-your-application-list.md - - name: Select the types of rules to create - href: select-types-of-rules-to-create.md - items: - - name: Document your AppLocker rules - href: document-your-applocker-rules.md - - name: Determine the Group Policy structure and rule enforcement - href: determine-group-policy-structure-and-rule-enforcement.md - items: - - name: Understand AppLocker enforcement settings - href: understand-applocker-enforcement-settings.md - - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy - href: understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md - - name: Document the Group Policy structure and AppLocker rule enforcement - href: document-group-policy-structure-and-applocker-rule-enforcement.md - - name: Plan for AppLocker policy management - href: plan-for-applocker-policy-management.md - - name: AppLocker deployment guide - href: applocker-policies-deployment-guide.md - items: - - name: Understand the AppLocker policy deployment process - href: understand-the-applocker-policy-deployment-process.md - - name: Requirements for Deploying AppLocker Policies - href: requirements-for-deploying-applocker-policies.md - - name: Use Software Restriction Policies and AppLocker policies - href: using-software-restriction-policies-and-applocker-policies.md - - name: Create Your AppLocker policies - href: create-your-applocker-policies.md - items: - - name: Create Your AppLocker rules - href: create-your-applocker-rules.md - - name: Deploy the AppLocker policy into production - href: deploy-the-applocker-policy-into-production.md - items: - - name: Use a reference device to create and maintain AppLocker policies - href: use-a-reference-computer-to-create-and-maintain-applocker-policies.md - - name: Determine which apps are digitally signed on a reference device - href: determine-which-applications-are-digitally-signed-on-a-reference-computer.md - - name: Configure the AppLocker reference device - href: configure-the-appLocker-reference-device.md - - name: AppLocker technical reference - href: applocker-technical-reference.md - items: - - name: What Is AppLocker? - href: what-is-applocker.md - - name: Requirements to use AppLocker - href: requirements-to-use-applocker.md - - name: AppLocker policy use scenarios - href: applocker-policy-use-scenarios.md - - name: How AppLocker works - href: how-applocker-works-techref.md - items: - - name: Understanding AppLocker rule behavior - href: understanding-applocker-rule-behavior.md - - name: Understanding AppLocker rule exceptions - href: understanding-applocker-rule-exceptions.md - - name: Understanding AppLocker rule collections - href: understanding-applocker-rule-collections.md - - name: Understanding AppLocker allow and deny actions on rules - href: understanding-applocker-allow-and-deny-actions-on-rules.md - - name: Understanding AppLocker rule condition types - href: understanding-applocker-rule-condition-types.md - items: - - name: Understanding the publisher rule condition in AppLocker - href: understanding-the-publisher-rule-condition-in-applocker.md - - name: Understanding the path rule condition in AppLocker - href: understanding-the-path-rule-condition-in-applocker.md - - name: Understanding the file hash rule condition in AppLocker - href: understanding-the-file-hash-rule-condition-in-applocker.md - - name: Understanding AppLocker default rules - href: understanding-applocker-default-rules.md - items: - - name: Executable rules in AppLocker - href: executable-rules-in-applocker.md - - name: Windows Installer rules in AppLocker - href: windows-installer-rules-in-applocker.md - - name: Script rules in AppLocker - href: script-rules-in-applocker.md - - name: DLL rules in AppLocker - href: dll-rules-in-applocker.md - - name: Packaged apps and packaged app installer rules in AppLocker - href: packaged-apps-and-packaged-app-installer-rules-in-applocker.md - - name: AppLocker architecture and components - href: applocker-architecture-and-components.md - - name: AppLocker processes and interactions - href: applocker-processes-and-interactions.md - - name: AppLocker functions - href: applocker-functions.md - - name: Security considerations for AppLocker - href: security-considerations-for-applocker.md - - name: Tools to Use with AppLocker - href: tools-to-use-with-applocker.md - items: - - name: Using Event Viewer with AppLocker - href: using-event-viewer-with-applocker.md - - name: AppLocker Settings - href: applocker-settings.md diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 9036f3e4c1..727135ff89 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 7f2698f4c6..9838e069b1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index 44cb55c39e..f11b29225e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professional describes AppLocker’s basic architecture and its major components. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index c6b0e3ecf4..a095a49531 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 93a162dc9a..45cbf5c074 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 86a8829b86..d5c03fc57e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index a7d286ac77..d0df809923 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 9afaf76dd4..1314f32db2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index 72c593b20b..ccb2db435b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index e6ffbc2ba9..504b6ddc8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the settings used by AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index 49e952d360..72e525eb33 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic for IT professionals provides links to the topics in the technical reference. AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 44e68d79c2..0c75f461a6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index e59657993f..411f862d54 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index a018cafadb..f349cab5c6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index e836660931..1f654436af 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 0501a133b2..37736b98e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index eecd667d2b..6a921a1a9f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index 141694e9b1..ae414198e7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 3efd61d7e9..305a8f1f28 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a path condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index 8554f3c9f2..e54c7be041 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 1b41d7d17d..7d5cb87442 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 61d80caa45..ca15623e30 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index a4dd6d3cbb..3a1109a239 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index 49afa8e599..bbf2bbc5f2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index d99290ca20..a76438913f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for IT professionals describes the steps to delete an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 4eacf25176..bd37f7dbd6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 1cef053c49..801357a512 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 4e97c71abe..56fabec7f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic describes the process to follow when you are planning to deploy AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index cd61c3ae04..0f79249eb4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index 90e037220c..f1a3d2fdb0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 0337e87f46..33e52bdb43 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index f547e9a47c..90d0e55f8b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the DLL rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 94b76c08b1..28c6e63bf2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index abace52005..19976bf113 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index 61e0ea6cd7..d456dd6197 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index d9503e8a00..d3e0de4082 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps required to modify an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index ae57316f95..4a6c308d6c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index a7127c01e3..a4fda0421a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index d5af5704b4..d5979bfac8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to enforce application control rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index 4a08f289bb..6737670f69 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the executable rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 6a31ee8659..8069b0c488 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index b31a06093c..13a340752a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index a69c492e7b..f2f21ec59a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index ee2571025c..2ca831ad61 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to import an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index a1f2c8e829..ea0d11ab6b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 495e5578cb..fbd1e8bf5b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how to maintain rules within AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index 963ec6547b..fb2455652e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 1034d8e194..a054a02bd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index c6beb49771..8e26890ee4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 15bd4e6197..80d37a8614 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index 15357f0a4c..bda74906e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to optimize AppLocker policy enforcement. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 7cd27ec5a6..ca8932c6f8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker rule collection for packaged app installers and packaged apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 5a2aab5ef9..58c2a7e1aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index c306fa8809..82a4c1e458 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to force an update for an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 3d09d68ef3..229cfda610 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 63b249672d..3c707b81d5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index 4c9ff4b21a..f17c70b80d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 4b4ca99f66..9076c55024 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the script rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 006efd19a1..975f550c4a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 9dedd807d1..d550e452bd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic lists resources you can use when selecting your application control policy rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index ca0dc2f8e4..d75ba70771 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index 3a42a9d7aa..389120fbf6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic discusses the steps required to test an AppLocker policy prior to deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index 19eb7cd1d3..a2e61460e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the tools available to create and administer AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 7058ee0c64..e675fb2869 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the AppLocker enforcement settings for rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index ccdfd461a6..423a4d1362 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 5803246cf1..92387a5fd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 23383522f6..799df0904c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 319498a599..73277f9b7e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the differences between allow and deny actions on AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 7a33f4dde5..5bf6447ed9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 92f40c3d8c..cace268255 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index e8cf87080b..70106f07bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index 80ce31b642..5e0876bc46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the three types of AppLocker rule conditions. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index c4cf8ac3ea..a83a41aef9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the result of applying AppLocker rule exceptions to rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 1bb2c999af..62751a55dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index e8856ed8ee..365ad545e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 8dade37801..6c68cb3be5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index a283a7ab4f..9a97cd9a36 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 6dcd91c001..41241819f1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index ce28a56e21..a27af3c553 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 3015885de1..d0a93e2296 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 79b2485918..142eeb4cf9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index b65a70c0fe..2bb5d4a07b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 0975dd70c7..c5a2d513e3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the Windows Installer rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index e4c6caae70..6e13cbce6e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 74ce2ea9d8..f05e000e74 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -25,7 +25,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 671bd29bf1..62270b6e8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 706f2e6d6a..0ca71721d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 70e5a3a31d..26506a422a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index a6fe5ce62e..fb11f5cbf8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled. There are three primary steps to keep in mind: diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 761ea31822..7f12604edc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 40ab4ad3bd..4d96dd5039 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 0037968837..ae19d1e80f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 76199f55b5..98d4991e37 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index bdb0bb25f6..fbe13edbe5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 9ea7cc663a..96abd74691 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Prior to Windows 10 1903, WDAC only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index dea3b62b33..8482f5f1c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > [!NOTE] > Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 29fbbe9431..7b44dba695 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 3dcca008bc..b8900a28dc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 2212ae92fb..67dadf4ccd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index ad706276ac..bff322daff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic covers how to disable unsigned or signed WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 5dd1fd73f9..685ffd83a1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You should now have one or more WDAC policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode. diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 4e249a4f50..b12655562e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). When creating policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service. diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml new file mode 100644 index 0000000000..ef5892459f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -0,0 +1,117 @@ +### YamlMime:Landing + +title: Application Control for Windows +metadata: + title: Application Control for Windows + description: Landing page for Windows Defender Application Control +# services: service +# ms.service: microsoft-WDAC-AppLocker +# ms.subservice: Application-Control +# ms.topic: landing-page +# author: Kim Klein +# ms.author: Jordan Geurten +# manager: Jeffrey Sutherland +# ms.update: 04/30/2021 +# linkListType: overview | how-to-guide | tutorial | video +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: Learn about Application Control + linkLists: + - linkListType: overview + links: + - text: What is Windows Defender Application Control (WDAC)? + url: wdac-and-applocker-overview.md + - text: What is AppLocker? + url: applocker\applocker-overview.md + - text: WDAC and AppLocker feature availability + url: feature-availability.md + # Card + - title: Learn about Policy Design + linkLists: + - linkListType: overview + links: + - text: Using code signing to simplify application control + url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md + - text: Microsoft's Recommended Blocklist + url: microsoft-recommended-block-rules.md + - text: Microsoft's Recommended Driver Blocklist + url: microsoft-recommended-driver-block-rules.md + - text: Example WDAC policies + url: example-wdac-base-policies.md + - text: LOB Win32 apps on S Mode + url: LOB-win32-apps-on-s.md + - text: Managing multiple policies + url: deploy-multiple-windows-defender-application-control-policies.md + - linkListType: how-to-guide + links: + - text: Create a WDAC policy for a lightly managed device + url: create-wdac-policy-for-lightly-managed-devices.md + - text: Create a WDAC policy for a fully managed device + url: create-wdac-policy-for-fully-managed-devices.md + - text: Create a WDAC policy for a fixed-workload + url: create-initial-default-policy.md + - text: Deploying catalog files for WDAC management + url: deploy-catalog-files-to-support-windows-defender-application-control.md + - text: Using the WDAC Wizard + url: wdac-wizard.md + #- linkListType: Tutorial (videos) + # links: + # - text: Using the WDAC Wizard + # url: video md + # - text: Specifying custom values + # url: video md + # Card + - title: Learn about Policy Configuration + linkLists: + - linkListType: overview + links: + - text: Understanding policy and file rules + url: select-types-of-rules-to-create.md + - linkListType: how-to-guide + links: + - text: Allow managed installer and configure managed installer rules + url: configure-authorized-apps-deployed-with-a-managed-installer.md + - text: Allow reputable apps with ISG + url: use-windows-defender-application-control-with-intelligent-security-graph.md + - text: Managed MSIX and Appx Packaged Apps + url: manage-packaged-apps-with-windows-defender-application-control.md + - text: Allow com object registration + url: allow-com-object-registration-in-windows-defender-application-control-policy.md + - text: Manage plug-ins, add-ins and modules + url: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md + # Card + - title: Learn how to deploy WDAC Policies + linkLists: + - linkListType: overview + links: + - text: Using signed policies to protect against tampering + url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md + - text: Audit and enforce policies + url: audit-and-enforce-windows-defender-application-control-policies.md + - text: Disabling WDAC policies + url: disable-windows-defender-application-control-policies.md + - linkListType: tutorial + links: + - text: Deployment with MDM + url: deploy-windows-defender-application-control-policies-using-intune.md + - text: Deployment with MEMCM + url: deployment/deploy-wdac-policies-with-memcm.md + - text: Deployment with script and refresh policy + url: deployment/deploy-wdac-policies-with-script.md + - text: Deployment with Group Policy + url: deploy-windows-defender-application-control-policies-using-group-policy.md + # Card + - title: Learn how to monitor WDAC events + linkLists: + - linkListType: overview + links: + - text: Understanding event IDs + url: event-id-explanations.md + - text: Understanding event Tags + url: event-tag-explanations.md + - linkListType: how-to-guide + links: + - text: Querying events using advanced hunting + url: querying-application-control-events-centrally-using-advanced-hunting.md \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 2d0ccf9451..5939c67fde 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index f2561cb90c..1c0bf07bd4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index d9e8974465..53d81d3ab1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -27,7 +27,7 @@ ms.date: 08/23/2021 - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 56ff102873..4e5251d27d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -26,17 +26,22 @@ ms.date: - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: +Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: -> [!Note] -> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel +- Malicious behaviors (malware) or certificates used to sign malware +- Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel + +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. + +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. ```xml @@ -59,6 +64,46 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -128,40 +173,148 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -174,22 +327,22 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - + + + + + + + - + - - - - - + @@ -225,7 +378,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -247,17 +400,26 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - + @@ -288,6 +450,42 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -304,10 +502,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -315,118 +513,273 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - @@ -441,7 +794,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - 10.0.19565.0 + 10.0.22417.0 diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 3cd76bde2b..015e6b6e50 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -26,7 +26,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic covers tips and tricks for admins as well as known issues with WDAC. Test this configuration in your lab before enabling it in production. diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 0c319af7e6..bff9aace8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 403aab58d8..69855b69b3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index a4f3db57bd..024f7881f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described. diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index ce15020a22..e0abed5fef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic is for the IT professional and lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index dae8561c9b..392ab9a072 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic covers guidelines for using code signing control classic Windows apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 73f07b3405..79b9e0a33c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 3ceb3636e0..224fa1dac5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Signed WDAC policies give organizations the highest level of malware protection available in Windows. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 22a1c3c03a..5ce6dec509 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 22c3b5e232..d1f5ea9591 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index e8557445d0..37d3a19f84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index b0f068d8b7..eb2d098d4b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index f11d86f9a7..71046d7308 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index d696659c2a..754f399a47 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:

    diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md index 4cdeb72f21..3143fd1d5c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 40512b4dda..b3d650b5e2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You should now have one or more WDAC policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 57db67bee8..6617b5581c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 31c5d1fe8e..8d5d8dda4a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index abe51d1188..9d17eb7f30 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index ed1a7fe460..203ac733d5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,36 +21,36 @@ ms.technology: mde **Applies to** -- Windows 10, version 1803 and later +- Windows 10 +- Windows 11 - -The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following: +The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list: - [Microsoft Account](https://account.microsoft.com/account/faq) - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md) - [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from) -You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features. ## Hide the Account protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +You can only configure these settings by using Group Policy. >[!IMPORTANT] >### Requirements > >You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Account protection**. -6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**. +6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**. 7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 544e90142e..acfa2cee01 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -11,17 +11,18 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # App and browser control **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 33a2c7d531..9f9932bc80 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -10,25 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 09/13/2021 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Customize the Windows Security app for your organization **Applies to** -- Windows 10, version 1709 and later - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows 10 +- Windows 11 You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 13fce0f2d5..3672d5c25a 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index f4d3053cd9..8526440bc9 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -10,17 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 10/02/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Device security **Applies to** -- Windows 10, version 1803 and later +- Windows 10 +- Windows 11 The **Device security** section contains information and settings for built-in device security. @@ -28,7 +29,7 @@ You can choose to hide the section from users of the machine. This can be useful ## Hide the Device security section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 274c66bd66..a9e4a148c5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,8 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments. @@ -33,7 +33,7 @@ In Windows 10, version 1709, the section can be hidden from users of the machine ## Hide the Family options section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 3a14dc7c26..924bcd1150 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -9,10 +9,10 @@ ms.sitesec: library ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -20,8 +20,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 0a1389c07b..a58b61c3b1 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -10,25 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 07/23/2020 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Hide Windows Security app notifications **Applies to** -- Windows 10, version 1809 and above - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows 10 +- Windows 11 The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 87960171d1..2d43e965ba 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -12,16 +12,15 @@ author: dansimp ms.author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- - # Virus and threat protection **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 30cc06c3d0..7f3ef48df0 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -22,19 +22,11 @@ ms.technology: mde - Windows 10 in S mode, version 1803 -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Microsoft Intune - Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. -![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) +:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png"::: For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index cb27db7bfd..7d0a3187b2 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,14 +11,15 @@ author: dansimp ms.author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # The Windows Security app **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 This library describes the Windows Security app, and provides information on configuring certain features, including: diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml index efaa07fa4e..ca84e461a5 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.yml +++ b/windows/security/threat-protection/windows-firewall/TOC.yml @@ -250,3 +250,5 @@ href: quarantine.md - name: Firewall settings lost on upgrade href: firewall-settings-lost-on-upgrade.md +- name: Windows security + href: /windows/security/ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml b/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml deleted file mode 100644 index f7e0955409..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Windows security guidance for enterprises - items: - - name: Windows security baselines - href: windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: security-compliance-toolkit-10.md - - name: Get support - href: get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 170918a4fa..435be7648b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -11,22 +11,17 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/25/2018 +ms.date: ms.reviewer: ms.technology: mde --- # Windows security baselines -**Applies to** - -- Windows 10 -- Windows Server 2016 -- Office 2016 ## Using security baselines in your organization -Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. +Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. @@ -56,12 +51,13 @@ You can use security baselines to: ## Where can I get the security baselines? -You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. +There are several ways to get and use security baselines: -The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. +1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md) -[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) +2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline.md) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool. + +3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all.md). ## Community diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md new file mode 100644 index 0000000000..6792a8df14 --- /dev/null +++ b/windows/security/trusted-boot.md @@ -0,0 +1,40 @@ +--- +title: Secure Boot and Trusted Boot +description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/21/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: jsuther +f1.keywords: NOCSH +--- + +# Secure Boot and Trusted Boot + +*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.* + +Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. + +## Secure Boot + +The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. + +As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with. + +## Trusted Boot + +Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. + +Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. + +## See also + +[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md) \ No newline at end of file diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md new file mode 100644 index 0000000000..1462084e1e --- /dev/null +++ b/windows/security/zero-trust-windows-device-health.md @@ -0,0 +1,71 @@ +--- +title: Zero Trust and Windows device health +description: Describes the process of Windows device health attestation +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Zero Trust and Windows device health +Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments. + +The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are: + +- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies. + +- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity. + +- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses. + +The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources. + +[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources. + +Windows 11 supports device health attestation, helping to confirm that devices are in a good state and have not been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling. + +Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process have not been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources. + +## Device health attestation on Windows + Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: + +- If the device can be trusted +- If the operating system booted correctly +- If the OS has the right set of security features enabled + +These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device has not been tampered with. + +Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. + +A summary of the steps involved in attestation and Zero Trust on the device side are as follows: + +1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. + +2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that is then sent to the attestation service. + +3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). + +4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. + +5. The attestation service does the following: + + - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log. + - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM. + - Verify that the security features are in the expected states. + +6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service. + +7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. + +8. Conditional access, along with device-compliance state then decides to allow or deny access. + +## Other Resources + +Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/). diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 2aebecdb11..7841ae8015 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 08/18/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -39,7 +38,7 @@ If you are looking for ways to optimize your approach to deploying Windows 11, o As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. @@ -57,8 +56,7 @@ If you manage devices on behalf of your organization, you will be able to upgrad - Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. > [!NOTE] -> If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the **Target Version** policy rather than **Feature Update deferrals** to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
    -> Also, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business **Target Version** or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization. +> Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business or Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization. ##### Unmanaged devices @@ -85,7 +83,7 @@ The introduction of Windows 11 is also a good time to review your hardware refre ## Servicing and support -Along with end-user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. +Along with user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. **Quality updates**: Windows 11 and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index da063c4529..7e584d2ea8 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 09/03/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -36,25 +35,25 @@ The tools that you use for core workloads during Windows 10 deployments can stil - If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] - > During deployment, you will be prompted to agree to the End User License Agreement on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. + > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. - If you use [Microsoft Endpoint Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. > [!NOTE] - > Configuration Manager will prompt you to accept the End User License Agreement on behalf of the users in your organization. + > Configuration Manager will prompt you to accept the Microsoft Software License Terms on behalf of the users in your organization. #### Cloud-based solutions -- If you use Windows Update for Business policies, you will need to use the **Target Version** capability rather than feature update deferrals to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1, but do not enable you to move between products (Windows 10 to Windows 11). +- If you use Windows Update for Business policies, you will need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11). + - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. - In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**. - - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. -- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. + - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. If you use deferrals today in Group Policy, your devices will continue to get the latest feature update of Windows 10 once it has reached your specified deferral age, but will not be offered Windows 11 until you specify this by using the **Select target Feature Update version** policy. Your deferrals will continue to apply in this case as well. +- Quality update deferrals and experience policies will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. + ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting end-user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy. The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: @@ -113,9 +112,9 @@ At a high level, the tasks involved are: 6. Test and support the pilot devices. 7. Determine broad deployment readiness based on the results of the pilot. -## End-user readiness +## User readiness -Do not overlook the importance of end-user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: +Do not overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md index 77e2fa58a9..e41a2d7303 100644 --- a/windows/whats-new/windows-11.md +++ b/windows/whats-new/windows-11.md @@ -37,7 +37,7 @@ Windows 11 is built on the same foundation as Windows 10, so the investments you ## How to get Windows 11 -Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning later in the 2021 calendar year. Windows 11 will also be available on eligible new devices. +Windows 11 will be delivered as an upgrade to eligible devices running Windows 10, beginning on October 5, 2021. Windows 11 will also be available on eligible new devices. For administrators managing devices on behalf of their organization, Windows 11 will be available through the same, familiar channels that you use today for Windows 10 feature updates. You will be able to use existing deployment and management tools, such as Windows Update for Business, Microsoft Endpoint Manager, and Windows Autopilot. For more information, see [Plan for Windows 11](windows-11-plan.md).