deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'public' into patch-1

Browse Source
This commit is contained in:
Aaron Czechowski 2022-12-22 13:58:55 -08:00 committed by GitHub
commit 85eda66924
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1391 changed files with 26037 additions and 26567 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
.openpublishing.redirection.json
View File

@ -705,6 +705,21 @@
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set",
"redirect_document_id": false "redirect_document_id": false
}, },
{
"source_path": "store-for-business/device-guard-signing-portal.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business",
"redirect_document_id": false
},
{
"source_path": "store-for-business/add-unsigned-app-to-code-integrity-policy.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control",
"redirect_document_id": false
},
{
"source_path": "store-for-business/sign-code-integrity-policy-with-device-guard-signing.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
"redirect_document_id": false
},
{ {
"source_path": "windows/security/threat-protection/device-guard/device-guard-deployment-guide.md", "source_path": "windows/security/threat-protection/device-guard/device-guard-deployment-guide.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide",
@ -20174,6 +20189,111 @@
"source_path": "windows/configuration/start-layout-troubleshoot.md", "source_path": "windows/configuration/start-layout-troubleshoot.md",
"redirect_url": "/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors", "redirect_url": "/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/features-lifecycle.md",
"redirect_url": "/windows/whats-new/feature-lifecycle",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/windows-10-deprecated-features.md",
"redirect_url": "/windows/whats-new/deprecated-features",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/windows-10-removed-features.md",
"redirect_url": "/windows/whats-new/removed-features",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/usmt/usmt-common-issues.md",
"redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/usmt/usmt-return-codes.md",
"redirect_url": "/troubleshoot/windows-client/deployment/usmt-return-codes",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/prepare/index.md",
"redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/deploy/index.md",
"redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/index.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md",
"redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview",
"redirect_document_id": true
},
{
"source_path": "windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md",
"redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/hello-for-business/reset-security-key.md",
"redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key",
"redirect_document_id": false
} }
] ]
} }

41
SECURITY.md Normal file
View File

@ -0,0 +1,41 @@
<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
## Security
Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
## Reporting Security Issues
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc).
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
* Full paths of source file(s) related to the manifestation of the issue
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
## Preferred Languages
We prefer all communications to be in English.
## Policy
Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
<!-- END MICROSOFT SECURITY.MD BLOCK -->

10
browsers/edge/breadcrumb/toc.yml
View File

@ -1,7 +1,3 @@
- name: Docs - name: Microsoft Edge
tocHref: / tocHref: /microsoft-edge/
topicHref: / topicHref: /microsoft-edge/index
items:
- name: Microsoft Edge deployment
tocHref: /microsoft-edge/deploy
topicHref: /microsoft-edge/deploy/index

2
browsers/edge/docfx.json
View File

@ -28,7 +28,7 @@
], ],
"globalMetadata": { "globalMetadata": {
"recommendations": true, "recommendations": true,
"breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json", "breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json",
"ROBOTS": "INDEX, FOLLOW", "ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge", "ms.technology": "microsoft-edge",
"audience": "ITPro", "audience": "ITPro",

8
browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
View File

@ -1,7 +1,7 @@
--- ---
author: aczechowski author: aczechowski
ms.author: aaroncz ms.author: aaroncz
ms.date: 10/27/2022 ms.date: 12/16/2022
ms.reviewer: cathask ms.reviewer: cathask
manager: aaroncz manager: aaroncz
ms.prod: ie11 ms.prod: ie11
@ -9,6 +9,8 @@ ms.topic: include
--- ---
> [!WARNING] > [!WARNING]
> The retired, out-of-support Internet Explorer 11 (IE11) desktop application will be permanently disabled on certain versions of Windows 10 as part of the February 2023 Windows security update ("B") release scheduled for February 14, 2023. We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization doesn't experience business disruption. > **Update:** The retired, out-of-support Internet Explorer 11 desktop application is scheduled to be permanently disabled through a Microsoft Edge update on certain versions of Windows 10 on February 14, 2023.
> >
> For more information, see [aka.ms/iemodefaq](https://aka.ms/iemodefaq). > We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization does not experience business disruption.
>
> For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq).

46
education/includes/education-content-updates.md
View File

@ -2,51 +2,9 @@
## Week of September 19, 2022 ## Week of December 12, 2022
| Published On |Topic title | Change | | Published On |Topic title | Change |
|------|------------|--------| |------|------------|--------|
| 9/20/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified | | 12/13/2022 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
## Week of September 12, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 9/13/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 9/14/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 9/14/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
## Week of September 05, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 9/8/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
| 9/8/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
| 9/8/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
| 9/9/2022 | [Take tests in Windows](/education/windows/take-tests-in-windows-10) | modified |
## Week of August 29, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 8/31/2022 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added |
| 8/31/2022 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added |
| 8/31/2022 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added |
| 8/31/2022 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added |
| 8/31/2022 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added |
| 8/31/2022 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added |
| 8/31/2022 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added |
| 8/31/2022 | [Introduction](/education/windows/tutorial-school-deployment/index) | added |
| 8/31/2022 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added |
| 8/31/2022 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added |
| 8/31/2022 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added |
| 8/31/2022 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
| 8/31/2022 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
| 8/31/2022 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |

2
education/windows/edu-deployment-recommendations.md
View File

@ -1,7 +1,7 @@
--- ---
title: Deployment recommendations for school IT administrators title: Deployment recommendations for school IT administrators
description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
ms.topic: guide ms.topic: conceptual
ms.date: 08/10/2022 ms.date: 08/10/2022
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

16
education/windows/edu-stickers.md
View File

@ -14,7 +14,7 @@ ms.collection:
Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes. Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students. Similar to the [education theme packs](edu-themes.md "my tooltip example that opens in a new tab"), Stickers is a personalization feature that helps the device feel like it was designed for students.
:::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true"::: :::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
@ -41,6 +41,18 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] [!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] [!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
> [!TIP]
> Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup>
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
Content-Type: application/json
{"id":"00-0000-0000-0000-000000000000","displayName":"_MSLearn_Stickers","roleScopeTagIds":["0"],"@odata.type":"#microsoft.graph.windows10CustomConfiguration","omaSettings":[{"omaUri":"./Vendor/MSFT/Policy/Config/Stickers/EnableStickers","displayName":"EnableStickers","@odata.type":"#microsoft.graph.omaSettingInteger","value":1}]}
```
<sup><a name="footnote1"></a>1</sup> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings: To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
@ -68,8 +80,6 @@ Multiple stickers can be added from the picker by selecting them. The stickers c
Select the *X button* at the top of the screen to save your progress and close the sticker editor. Select the *X button* at the top of the screen to save your progress and close the sticker editor.
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package [WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package

13
education/windows/images/icons/information.svg Normal file
View File

@ -0,0 +1,13 @@
<svg id="bf97f450-0d91-4db3-8ea1-010780a2af52" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="fe22bed8-8e36-415d-8032-3026ad9e8503" x1="8.56" y1="17.59" x2="8.56" y2="0.59" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#1988d9" />
<stop offset="0.22" stop-color="#218ddc" />
<stop offset="0.56" stop-color="#379ce5" />
<stop offset="0.9" stop-color="#54aef0" />
</linearGradient>
</defs>
<title>Icon-general-5</title>
<path id="b3492ff9-55dd-4864-be78-9e79f3547897" d="M13.77,15.81A8.5,8.5,0,0,1,3.35,2.37l.09-.06a8.5,8.5,0,0,1,10.33,13.5" fill="url(#fe22bed8-8e36-415d-8032-3026ad9e8503)" />
<path d="M8.56,6.17a1.24,1.24,0,0,1-.89-.33,1,1,0,0,1-.34-.79,1,1,0,0,1,.34-.79A1.31,1.31,0,0,1,8.56,4a1.28,1.28,0,0,1,.89.3,1,1,0,0,1,.35.79,1,1,0,0,1-.35.8A1.24,1.24,0,0,1,8.56,6.17Zm.64,8.05H7.89a.42.42,0,0,1-.42-.42V7.69a.42.42,0,0,1,.42-.42H9.2a.42.42,0,0,1,.42.42V13.8A.42.42,0,0,1,9.2,14.22Z" fill="#fff" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

3
education/windows/includes/intune-custom-settings-1.md
View File

@ -7,9 +7,6 @@ ms.topic: include
To configure devices with Microsoft Intune, use a custom policy: To configure devices with Microsoft Intune, use a custom policy:
> [!TIP]
> If you're browsing with an account that can create Intune policies, you can skip to step 5 by using this direct link to <a href="https://go.microsoft.com/fwlink/?linkid=2109431#view/Microsoft_Intune_DeviceSettings/CreatePolicyFullScreenBlade/policyId/00000000-0000-0000-0000-000000000000/policyType/Windows10Custom/policyJourneyState~/0" target="_blank"><b>create a custom policy</b></a> (opens in a new tab).
1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a> 1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
2. Select **Devices > Configuration profiles > Create profile** 2. Select **Devices > Configuration profiles > Create profile**
3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** 3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**

2
education/windows/test-windows10s-for-edu.md
View File

@ -1,7 +1,7 @@
--- ---
title: Test Windows 10 in S mode on existing Windows 10 education devices title: Test Windows 10 in S mode on existing Windows 10 education devices
description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices. description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices.
ms.topic: guide ms.topic: conceptual
ms.date: 08/10/2022 ms.date: 08/10/2022
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>

127
education/windows/windows-11-se-overview.md
View File

@ -80,69 +80,70 @@ The following table lists all the applications included in Windows 11 SE and the
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1] The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
| Application | Supported version | App Type | Vendor | | Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------| |-------------------------------------------|-------------------|----------|-------------------------------------------|
| 3d builder | 15.2.10821.1070 | Win32 | Microsoft | | `3d builder` | `18.0.1931.0` | Win32 | `Microsoft` |
| AirSecure | 8.0.0 | Win32 | AIR | | `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | | `AirSecure` | 8.0.0 | Win32 | `AIR` |
| Brave Browser | 106.0.5249.65 | Win32 | Brave | | `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | | `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
| CA Secure Browser | 14.0.0 | Win32 | Cambium Development | | `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | | `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
| CKAuthenticator | 3.6+ | Win32 | Content Keeper | | `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
| Class Policy | 114.0.0 | Win32 | Class Policy | | `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
| Classroom.cloud | 1.40.0004 | Win32 | NetSupport | | `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights | | `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications | | `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation | | `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| Duo from Cisco | 2.25.0 | Win32 | Cisco | | `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking | | `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
|Epson iProjection | 3.31 | Win32 | Epson | | `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
| eTests | 4.0.25 | Win32 | CASAS | | `Epson iProjection` | 3.31 | Win32 | `Epson` |
| FortiClient | 7.2.0.4034+ | Win32 | Fortinet | | `eTests` | 4.0.25 | Win32 | `CASAS` |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft | | `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd | | `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| GoGuardian | 1.4.4 | Win32 | GoGuardian | | `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| Google Chrome | 102.0.5005.115 | Win32 | Google | | `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education | | `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
| Immunet | 7.5.0.20795 | Win32 | Immunet | | `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software | | `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| Inspiration 10 | 10.11 | Win32 | Inspiration Software, Inc. | | `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific | | `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps | | `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
| Kortext | 2.3.433.0 | Store | Kortext | | `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems | | `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. | | `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
| LanSchool Air | 2.0.13312 | Win32 | Stoneware, Inc. | | `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems | | `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation | | `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
| Microsoft Connect | 10.0.22000.1 | Store | Microsoft | | `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
| Mozilla Firefox | 99.0.1 | Win32 | Mozilla | | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| NAPLAN | 2.5.0 | Win32 | NAP | | `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
| Netref Student | 22.2.0 | Win32 | NetRef | | `NAPLAN` | 2.5.0 | Win32 | `NAP` |
| NetSupport Manager | 12.01.0014 | Win32 | NetSupport | | `Netref Student` | 22.2.0 | Win32 | `NetRef` |
| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport | | `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
| NetSupport School | 14.00.0011 | Win32 | NetSupport | | `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies | | `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access | | `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA | | `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
| PaperCut | 22.0.6 | Win32 | PaperCut Software International Pty Ltd | | `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
| Pearson TestNav | 1.10.2.0 | Store | Pearson | | `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc | | `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` |
| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. | | `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft | | `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
| Remote Help | 3.8.0.12 | Win32 | Microsoft | | `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | | `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | | `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | | `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` |
| Smoothwall monitor | 2.8.0 | Win32 | Smoothwall Ltd | | `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | | `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access | | `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc | | `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
| Winbird | 19 | Win32 | Winbird Co., Ltd. | | `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| WordQ | 5.4.23 | Win32 | Mathetmots | | `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| Zoom | 5.9.1 (2581) | Win32 | Zoom | | `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific | | `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific | | `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
## Add your own applications ## Add your own applications

119
store-for-business/add-unsigned-app-to-code-integrity-policy.md
View File

@ -1,119 +0,0 @@
---
title: Add unsigned app to code integrity policy (Windows 10)
description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device.
ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA
ms.reviewer:
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
ms.author: cmcatee
author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 07/21/2021
---
# Add unsigned app to code integrity policy
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
>
> Following are the major changes we are making to the service:
>
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/).
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
> The following functionality will be available via these PowerShell cmdlets:
>
> - Get a CI policy
> - Sign a CI policy
> - Sign a catalog
> - Download root cert
> - Download history of your signing operations
>
> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**
- Windows 10
When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.
## Create a code integrity policy based on a reference device
To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](/windows/device-security/device-guard/device-guard-deployment-guide).
## Create catalog files for your unsigned app
Creating catalog files starts the process for adding an unsigned app to a code integrity policy.
Before you get started, be sure to review these best practices and requirements:
### Requirements
- You'll use Package Inspector during this process.
- Only perform this process with a code integrity policy running in audit mode. You should not perform this process on a system running an enforced Device Guard policy.
### Best practices
- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-a-code-integrity-policy-based-on-a-reference-device) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app.
### To create catalog files for your unsigned app
1. Start Package Inspector to scan the C drive.
`PackageInspector.exe Start C:`
2. Copy the installation media to the C drive.
Copying the installation media to the C drive ensures that Package Inspector finds and catalogs the installer. If you skip this step, the code integrity policy may trust the application to run, but not trust it to be installed.
3. Install and start the app.
All binaries that are used while Package Inspector is running will be part of the catalog files. After the installation, start the app and make sure that any product updates are installed and any downloadable content was found during the scan. Then, close and restart the app to make sure that the scan found all binaries.
4. Stop the scan and create definition and catalog files.
After app install is complete, stop the Package Inspector scan and create catalog and definition files on your desktop.
`$ExamplePath=$env:userprofile+"\Desktop"`
`$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
`$CatDefName=$ExamplePath+"\LOBApp.cdf"`
`PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
The Package Inspector scan catalogs the hash values for each binary file that is finds. If the app that was scanned are updated, do this process again to trust the new binaries hash values.
After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy.
## Catalog signing with Device Guard signing portal
To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business.
Catalog signing is a vital step to adding your unsigned apps to your code integrity policy.
### To sign a catalog file with Device Guard signing portal
1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
2. Click **Settings**, click **Store settings**, and then click **Device Guard**.
3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files-for-your-unsigned-app).
4. After the files are uploaded, click **Sign** to sign the catalog files.
5. Click Download to download each item:
- signed catalog file
- default policy
- root certificate for your organization
When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store.
7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).

201
store-for-business/device-guard-signing-portal.md
View File

@ -1,201 +0,0 @@
---
title: Device Guard signing (Windows 10)
description: Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Microsoft Store for Education.
ms.assetid: 8D9CD2B9-5FC6-4C3D-AA96-F135AFEEBB78
ms.reviewer:
manager: dansimp
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 07/21/2021
---
# Device Guard signing
**Applies to**
- Windows 10
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
>
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
> The following functionality will be available via these PowerShell cmdlets:
> - Get a CI policy
> - Sign a CI policy
> - Sign a catalog
> - Download root cert
> - Download history of your signing operations
>
> For any questions, please contact us at DGSSMigration@microsoft.com.
Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
## In this section
| Topic | Description |
| ----- | ----------- |
| [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) | When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. |
| [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) | Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. |
## Device Guard Signing Service (v2) PowerShell Commands
> [!NOTE]
> [.. common ..] are parameters common across all commands that are documented below the command definitions.
**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant.
- Usage:
```powershell
Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate.
- Usage:
```powershell
Get-RootCertificate -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent).
- Usage:
```powershell
Get-SigningHistory -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be a .xml file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns XML objects returning the XML file.
- Command running time:
The average running time is under 10 seconds.
**Submit-SigningJob** Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly.
- Usage:
```powershell
Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
```
- Parameters:
**InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.cat or .bin).
**OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. (note: create the folder first)
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
**TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
- Usage:
```powershell
Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
```
- Parameters:
**InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin).
**OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten.
> [!NOTE]
> Create the folder first.
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
**TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Common parameters [.. common ..]**
In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters.
- Usage:
```powershell
... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose]
```
- Parameters:
**NoPrompt** - switch, optional - If present, indicates that the script is running in a headless
environment and that all UI should be suppressed. If UI must be displayed (e.g., for
authentication) when the switch is set, the operation will instead fail.
**Credential + AppId** - PSCredential - A login credential (username and password) and AppId.
## File and size limits
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
| Description | Limit |
|-------------------------------------------------------|----------|
| Maximum size for a policy or catalog file | 3.5 MB |
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
## File types
Catalog and policy files have required files types.
| File | Required file type |
|---------------|--------------------|
| catalog files | .cat |
| policy files | .bin |
## Store for Business roles and permissions
Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
## Device Guard signing certificates
All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline.

63
store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
View File

@ -1,63 +0,0 @@
---
title: Sign code integrity policy with Device Guard signing (Windows 10)
description: Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.
ms.assetid: 63B56B8B-2A40-44B5-B100-DC50C43D20A9
ms.reviewer:
manager: dansimp
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 07/21/2021
---
# Sign code integrity policy with Device Guard signing
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
>
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
> The following functionality will be available via these PowerShell cmdlets:
> - Get a CI policy
> - Sign a CI policy
> - Sign a catalog
> - Download root cert
> - Download history of your signing operations
>
> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**
- Windows 10
Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.
## Sign your code integrity policy
Before you get started, be sure to review these best practices:
**Best practices**
- Test your code integrity policies on a group of devices before deploying them to a large group of devices.
- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
**To sign a code integrity policy**
1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, click **Store settings**, and then click **Device Guard**.
3. Click **Upload** to upload your code integrity policy.
4. After the files are uploaded, click **Sign** to sign the code integrity policy.
5. Click **Download** to download the signed code integrity policy.
When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy.

1
windows/application-management/apps-in-windows-10.md
View File

@ -5,6 +5,7 @@ ms.prod: windows-client
author: nicholasswhite author: nicholasswhite
ms.author: nwhite ms.author: nwhite
manager: aaroncz manager: aaroncz
ms.date: 12/07/2017
ms.reviewer: ms.reviewer:
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: article ms.topic: article

1
windows/application-management/provisioned-apps-windows-client-os.md
View File

@ -4,6 +4,7 @@ ms.reviewer:
author: nicholasswhite author: nicholasswhite
ms.author: nwhite ms.author: nwhite
manager: aaroncz manager: aaroncz
ms.date: 12/07/2017
description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

2
windows/application-management/sideload-apps-in-windows-10.md
View File

@ -5,9 +5,11 @@ ms.reviewer:
author: nicholasswhite author: nicholasswhite
ms.author: nwhite ms.author: nwhite
manager: aaroncz manager: aaroncz
ms.date: 12/07/2017
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium
ms.technology: itpro-apps ms.technology: itpro-apps
ms.topic: article
--- ---
# Sideload line of business (LOB) apps in Windows client devices # Sideload line of business (LOB) apps in Windows client devices

1
windows/application-management/system-apps-windows-client-os.md
View File

@ -4,6 +4,7 @@ ms.reviewer:
author: nicholasswhite author: nicholasswhite
ms.author: nwhite ms.author: nwhite
manager: aaroncz manager: aaroncz
ms.date: 12/07/2017
description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
ms.prod: windows-client ms.prod: windows-client
ms.localizationpriority: medium ms.localizationpriority: medium

1
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -9,6 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.collection: highpri ms.collection: highpri
ms.date: 12/31/2017
--- ---
# Azure Active Directory integration with MDM # Azure Active Directory integration with MDM

2
windows/client-management/enable-admx-backed-policies-in-mdm.md
View File

@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
2. Find the variable names of the parameters in the ADMX file. 2. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2).
![Publishing server 2 policy description.](images/admx-appv-policy-description.png) ![Publishing server 2 policy description.](images/admx-appv-policy-description.png)

1
windows/client-management/esim-enterprise-management.md
View File

@ -7,6 +7,7 @@ ms.localizationpriority: medium
ms.author: vinpa ms.author: vinpa
ms.topic: conceptual ms.topic: conceptual
ms.technology: itpro-manage ms.technology: itpro-manage
ms.date: 12/31/2017
--- ---
# How Mobile Device Management Providers support eSIM Management on Windows # How Mobile Device Management Providers support eSIM Management on Windows

1
windows/client-management/mdm-enrollment-of-windows-devices.md
View File

@ -12,6 +12,7 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.collection: highpri ms.collection: highpri
ms.date: 12/31/2017
--- ---
# MDM enrollment of Windows 10-based devices # MDM enrollment of Windows 10-based devices

4144
windows/client-management/mdm/defender-csp.md
View File

File diff suppressed because it is too large Load Diff

1733
windows/client-management/mdm/defender-ddf.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -277,7 +277,7 @@ Specifies whether to allow Azure RMS encryption for Windows Information Protecti
Supported operations are Add, Get, Replace, and Delete. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions** <a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions**
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list. Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-csp-networkisolation.md) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-csp-networkisolation.md). Use semicolon (;) delimiter in the list.
When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
Supported operations are Add, Get, Replace and Delete. Value type is string. Supported operations are Add, Get, Replace and Delete. Value type is string.

1
windows/client-management/mdm/firewall-csp.md
View File

@ -8,6 +8,7 @@ ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.date: 12/31/2017
--- ---
# Firewall configuration service provider (CSP) # Firewall configuration service provider (CSP)

2
windows/client-management/mdm/healthattestation-csp.md
View File

@ -8,7 +8,7 @@ ms.topic: article
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: ms.date: 4/5/2022
--- ---
# Device HealthAttestation CSP # Device HealthAttestation CSP

4915
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

File diff suppressed because it is too large Load Diff

1816
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

File diff suppressed because it is too large Load Diff

52
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -21,32 +21,32 @@ ms.date: 07/22/2020
- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) - [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) - [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites) - [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites)
- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning) - [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring) - [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring)
- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection) - [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection)
- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning) - [Defender/AllowEmailScanning](policy-csp-defender.md#allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) - [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) - [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection) - [Defender/AllowIOAVProtection](policy-csp-defender.md#allowioavprotection)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection) - [Defender/AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring) - [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles) - [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning) - [Defender/AllowScriptScanning](policy-csp-defender.md#allowscriptscanning)
- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess) - [Defender/AllowUserUIAccess](policy-csp-defender.md#allowuseruiaccess)
- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor) - [Defender/AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware) - [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions) - [Defender/ExcludedExtensions](policy-csp-defender.md#excludedextensions)
- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths) - [Defender/ExcludedPaths](policy-csp-defender.md#excludedpaths)
- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses) - [Defender/ExcludedProcesses](policy-csp-defender.md#excludedprocesses)
- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection) - [Defender/PUAProtection](policy-csp-defender.md#puaprotection)
- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection) - [Defender/RealTimeScanDirection](policy-csp-defender.md#realtimescandirection)
- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter) - [Defender/ScanParameter](policy-csp-defender.md#scanparameter)
- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime) - [Defender/ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime)
- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday) - [Defender/ScheduleScanDay](policy-csp-defender.md#schedulescanday)
- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime) - [Defender/ScheduleScanTime](policy-csp-defender.md#schedulescantime)
- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval) - [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval)
- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent) - [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction) - [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) - [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) - [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) - [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)

10578
windows/client-management/mdm/policy-configuration-service-provider.md
View File

File diff suppressed because it is too large Load Diff

812
windows/client-management/mdm/policy-csp-admx-mss-legacy.md Normal file
View File

@ -0,0 +1,812 @@
---
title: ADMX_MSS-legacy Policy CSP
description: Learn more about the ADMX_MSS-legacy Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ADMX_MSS-legacy-Begin -->
# Policy CSP - ADMX_MSS-legacy
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- ADMX_MSS-legacy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_MSS-legacy-Editable-End -->
<!-- Pol_MSS_AutoAdminLogon-Begin -->
## Pol_MSS_AutoAdminLogon
<!-- Pol_MSS_AutoAdminLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_AutoAdminLogon-Applicability-End -->
<!-- Pol_MSS_AutoAdminLogon-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoAdminLogon
```
<!-- Pol_MSS_AutoAdminLogon-OmaUri-End -->
<!-- Pol_MSS_AutoAdminLogon-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_AutoAdminLogon-Description-End -->
<!-- Pol_MSS_AutoAdminLogon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable Automatic Logon (not recommended).
<!-- Pol_MSS_AutoAdminLogon-Editable-End -->
<!-- Pol_MSS_AutoAdminLogon-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_AutoAdminLogon-DFProperties-End -->
<!-- Pol_MSS_AutoAdminLogon-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_AutoAdminLogon-AdmxBacked-End -->
<!-- Pol_MSS_AutoAdminLogon-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_AutoAdminLogon-Examples-End -->
<!-- Pol_MSS_AutoAdminLogon-End -->
<!-- Pol_MSS_AutoReboot-Begin -->
## Pol_MSS_AutoReboot
<!-- Pol_MSS_AutoReboot-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_AutoReboot-Applicability-End -->
<!-- Pol_MSS_AutoReboot-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoReboot
```
<!-- Pol_MSS_AutoReboot-OmaUri-End -->
<!-- Pol_MSS_AutoReboot-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_AutoReboot-Description-End -->
<!-- Pol_MSS_AutoReboot-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow Windows to automatically restart after a system crash (recommended except for highly secure environments).
<!-- Pol_MSS_AutoReboot-Editable-End -->
<!-- Pol_MSS_AutoReboot-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_AutoReboot-DFProperties-End -->
<!-- Pol_MSS_AutoReboot-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_AutoReboot-AdmxBacked-End -->
<!-- Pol_MSS_AutoReboot-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_AutoReboot-Examples-End -->
<!-- Pol_MSS_AutoReboot-End -->
<!-- Pol_MSS_AutoShareServer-Begin -->
## Pol_MSS_AutoShareServer
<!-- Pol_MSS_AutoShareServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_AutoShareServer-Applicability-End -->
<!-- Pol_MSS_AutoShareServer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareServer
```
<!-- Pol_MSS_AutoShareServer-OmaUri-End -->
<!-- Pol_MSS_AutoShareServer-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_AutoShareServer-Description-End -->
<!-- Pol_MSS_AutoShareServer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable administrative shares on servers (recommended except for highly secure environments).
<!-- Pol_MSS_AutoShareServer-Editable-End -->
<!-- Pol_MSS_AutoShareServer-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_AutoShareServer-DFProperties-End -->
<!-- Pol_MSS_AutoShareServer-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_AutoShareServer-AdmxBacked-End -->
<!-- Pol_MSS_AutoShareServer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_AutoShareServer-Examples-End -->
<!-- Pol_MSS_AutoShareServer-End -->
<!-- Pol_MSS_AutoShareWks-Begin -->
## Pol_MSS_AutoShareWks
<!-- Pol_MSS_AutoShareWks-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_AutoShareWks-Applicability-End -->
<!-- Pol_MSS_AutoShareWks-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareWks
```
<!-- Pol_MSS_AutoShareWks-OmaUri-End -->
<!-- Pol_MSS_AutoShareWks-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_AutoShareWks-Description-End -->
<!-- Pol_MSS_AutoShareWks-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable administrative shares on workstations (recommended except for highly secure environments).
<!-- Pol_MSS_AutoShareWks-Editable-End -->
<!-- Pol_MSS_AutoShareWks-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_AutoShareWks-DFProperties-End -->
<!-- Pol_MSS_AutoShareWks-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_AutoShareWks-AdmxBacked-End -->
<!-- Pol_MSS_AutoShareWks-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_AutoShareWks-Examples-End -->
<!-- Pol_MSS_AutoShareWks-End -->
<!-- Pol_MSS_DisableSavePassword-Begin -->
## Pol_MSS_DisableSavePassword
<!-- Pol_MSS_DisableSavePassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_DisableSavePassword-Applicability-End -->
<!-- Pol_MSS_DisableSavePassword-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_DisableSavePassword
```
<!-- Pol_MSS_DisableSavePassword-OmaUri-End -->
<!-- Pol_MSS_DisableSavePassword-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_DisableSavePassword-Description-End -->
<!-- Pol_MSS_DisableSavePassword-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Pol_MSS_DisableSavePassword-Editable-End -->
<!-- Pol_MSS_DisableSavePassword-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_DisableSavePassword-DFProperties-End -->
<!-- Pol_MSS_DisableSavePassword-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_DisableSavePassword-AdmxBacked-End -->
<!-- Pol_MSS_DisableSavePassword-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
Prevent the dial-up password from being saved (recommended).
<!-- Pol_MSS_DisableSavePassword-Examples-End -->
<!-- Pol_MSS_DisableSavePassword-End -->
<!-- Pol_MSS_EnableDeadGWDetect-Begin -->
## Pol_MSS_EnableDeadGWDetect
<!-- Pol_MSS_EnableDeadGWDetect-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_EnableDeadGWDetect-Applicability-End -->
<!-- Pol_MSS_EnableDeadGWDetect-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_EnableDeadGWDetect
```
<!-- Pol_MSS_EnableDeadGWDetect-OmaUri-End -->
<!-- Pol_MSS_EnableDeadGWDetect-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_EnableDeadGWDetect-Description-End -->
<!-- Pol_MSS_EnableDeadGWDetect-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow automatic detection of dead network gateways (could lead to DoS).
<!-- Pol_MSS_EnableDeadGWDetect-Editable-End -->
<!-- Pol_MSS_EnableDeadGWDetect-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_EnableDeadGWDetect-DFProperties-End -->
<!-- Pol_MSS_EnableDeadGWDetect-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_EnableDeadGWDetect-AdmxBacked-End -->
<!-- Pol_MSS_EnableDeadGWDetect-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_EnableDeadGWDetect-Examples-End -->
<!-- Pol_MSS_EnableDeadGWDetect-End -->
<!-- Pol_MSS_HideFromBrowseList-Begin -->
## Pol_MSS_HideFromBrowseList
<!-- Pol_MSS_HideFromBrowseList-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_HideFromBrowseList-Applicability-End -->
<!-- Pol_MSS_HideFromBrowseList-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_HideFromBrowseList
```
<!-- Pol_MSS_HideFromBrowseList-OmaUri-End -->
<!-- Pol_MSS_HideFromBrowseList-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_HideFromBrowseList-Description-End -->
<!-- Pol_MSS_HideFromBrowseList-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Hide Computer From the Browse List (not recommended except for highly secure environments).
<!-- Pol_MSS_HideFromBrowseList-Editable-End -->
<!-- Pol_MSS_HideFromBrowseList-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_HideFromBrowseList-DFProperties-End -->
<!-- Pol_MSS_HideFromBrowseList-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_HideFromBrowseList-AdmxBacked-End -->
<!-- Pol_MSS_HideFromBrowseList-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_HideFromBrowseList-Examples-End -->
<!-- Pol_MSS_HideFromBrowseList-End -->
<!-- Pol_MSS_KeepAliveTime-Begin -->
## Pol_MSS_KeepAliveTime
<!-- Pol_MSS_KeepAliveTime-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_KeepAliveTime-Applicability-End -->
<!-- Pol_MSS_KeepAliveTime-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_KeepAliveTime
```
<!-- Pol_MSS_KeepAliveTime-OmaUri-End -->
<!-- Pol_MSS_KeepAliveTime-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_KeepAliveTime-Description-End -->
<!-- Pol_MSS_KeepAliveTime-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Define how often keep-alive packets are sent in milliseconds.
<!-- Pol_MSS_KeepAliveTime-Editable-End -->
<!-- Pol_MSS_KeepAliveTime-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_KeepAliveTime-DFProperties-End -->
<!-- Pol_MSS_KeepAliveTime-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_KeepAliveTime-AdmxBacked-End -->
<!-- Pol_MSS_KeepAliveTime-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_KeepAliveTime-Examples-End -->
<!-- Pol_MSS_KeepAliveTime-End -->
<!-- Pol_MSS_NoDefaultExempt-Begin -->
## Pol_MSS_NoDefaultExempt
<!-- Pol_MSS_NoDefaultExempt-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_NoDefaultExempt-Applicability-End -->
<!-- Pol_MSS_NoDefaultExempt-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NoDefaultExempt
```
<!-- Pol_MSS_NoDefaultExempt-OmaUri-End -->
<!-- Pol_MSS_NoDefaultExempt-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_NoDefaultExempt-Description-End -->
<!-- Pol_MSS_NoDefaultExempt-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Configure IPSec exemptions for various types of network traffic.
<!-- Pol_MSS_NoDefaultExempt-Editable-End -->
<!-- Pol_MSS_NoDefaultExempt-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_NoDefaultExempt-DFProperties-End -->
<!-- Pol_MSS_NoDefaultExempt-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_NoDefaultExempt-AdmxBacked-End -->
<!-- Pol_MSS_NoDefaultExempt-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_NoDefaultExempt-Examples-End -->
<!-- Pol_MSS_NoDefaultExempt-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Begin -->
## Pol_MSS_NtfsDisable8dot3NameCreation
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Applicability-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NtfsDisable8dot3NameCreation
```
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-OmaUri-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Description-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable the computer to stop generating 8.3 style filenames.
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Editable-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-DFProperties-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-AdmxBacked-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Examples-End -->
<!-- Pol_MSS_NtfsDisable8dot3NameCreation-End -->
<!-- Pol_MSS_PerformRouterDiscovery-Begin -->
## Pol_MSS_PerformRouterDiscovery
<!-- Pol_MSS_PerformRouterDiscovery-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_PerformRouterDiscovery-Applicability-End -->
<!-- Pol_MSS_PerformRouterDiscovery-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_PerformRouterDiscovery
```
<!-- Pol_MSS_PerformRouterDiscovery-OmaUri-End -->
<!-- Pol_MSS_PerformRouterDiscovery-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_PerformRouterDiscovery-Description-End -->
<!-- Pol_MSS_PerformRouterDiscovery-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS).
<!-- Pol_MSS_PerformRouterDiscovery-Editable-End -->
<!-- Pol_MSS_PerformRouterDiscovery-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_PerformRouterDiscovery-DFProperties-End -->
<!-- Pol_MSS_PerformRouterDiscovery-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_PerformRouterDiscovery-AdmxBacked-End -->
<!-- Pol_MSS_PerformRouterDiscovery-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_PerformRouterDiscovery-Examples-End -->
<!-- Pol_MSS_PerformRouterDiscovery-End -->
<!-- Pol_MSS_SafeDllSearchMode-Begin -->
## Pol_MSS_SafeDllSearchMode
<!-- Pol_MSS_SafeDllSearchMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_SafeDllSearchMode-Applicability-End -->
<!-- Pol_MSS_SafeDllSearchMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SafeDllSearchMode
```
<!-- Pol_MSS_SafeDllSearchMode-OmaUri-End -->
<!-- Pol_MSS_SafeDllSearchMode-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_SafeDllSearchMode-Description-End -->
<!-- Pol_MSS_SafeDllSearchMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Enable Safe DLL search mode (recommended).
<!-- Pol_MSS_SafeDllSearchMode-Editable-End -->
<!-- Pol_MSS_SafeDllSearchMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_SafeDllSearchMode-DFProperties-End -->
<!-- Pol_MSS_SafeDllSearchMode-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_SafeDllSearchMode-AdmxBacked-End -->
<!-- Pol_MSS_SafeDllSearchMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_SafeDllSearchMode-Examples-End -->
<!-- Pol_MSS_SafeDllSearchMode-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Begin -->
## Pol_MSS_ScreenSaverGracePeriod
<!-- Pol_MSS_ScreenSaverGracePeriod-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_ScreenSaverGracePeriod-Applicability-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_ScreenSaverGracePeriod
```
<!-- Pol_MSS_ScreenSaverGracePeriod-OmaUri-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Description-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
he time in seconds before the screen saver grace period expires (0 recommended).
<!-- Pol_MSS_ScreenSaverGracePeriod-Editable-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_ScreenSaverGracePeriod-DFProperties-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_ScreenSaverGracePeriod-AdmxBacked-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_ScreenSaverGracePeriod-Examples-End -->
<!-- Pol_MSS_ScreenSaverGracePeriod-End -->
<!-- Pol_MSS_SynAttackProtect-Begin -->
## Pol_MSS_SynAttackProtect
<!-- Pol_MSS_SynAttackProtect-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_SynAttackProtect-Applicability-End -->
<!-- Pol_MSS_SynAttackProtect-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SynAttackProtect
```
<!-- Pol_MSS_SynAttackProtect-OmaUri-End -->
<!-- Pol_MSS_SynAttackProtect-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_SynAttackProtect-Description-End -->
<!-- Pol_MSS_SynAttackProtect-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Syn attack protection level (protects against DoS).
<!-- Pol_MSS_SynAttackProtect-Editable-End -->
<!-- Pol_MSS_SynAttackProtect-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_SynAttackProtect-DFProperties-End -->
<!-- Pol_MSS_SynAttackProtect-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_SynAttackProtect-AdmxBacked-End -->
<!-- Pol_MSS_SynAttackProtect-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_SynAttackProtect-Examples-End -->
<!-- Pol_MSS_SynAttackProtect-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Begin -->
## Pol_MSS_TcpMaxConnectResponseRetransmissions
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Applicability-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxConnectResponseRetransmissions
```
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-OmaUri-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Description-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
SYN-ACK retransmissions when a connection request is not acknowledged.
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Editable-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-DFProperties-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-AdmxBacked-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Examples-End -->
<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Begin -->
## Pol_MSS_TcpMaxDataRetransmissions
<!-- Pol_MSS_TcpMaxDataRetransmissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_TcpMaxDataRetransmissions-Applicability-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissions
```
<!-- Pol_MSS_TcpMaxDataRetransmissions-OmaUri-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Description-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default).
<!-- Pol_MSS_TcpMaxDataRetransmissions-Editable-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_TcpMaxDataRetransmissions-DFProperties-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-AdmxBacked-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-Examples-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissions-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Begin -->
## Pol_MSS_TcpMaxDataRetransmissionsIPv6
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Applicability-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissionsIPv6
```
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-OmaUri-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Description-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default).
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Editable-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-DFProperties-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-AdmxBacked-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Examples-End -->
<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-End -->
<!-- Pol_MSS_WarningLevel-Begin -->
## Pol_MSS_WarningLevel
<!-- Pol_MSS_WarningLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Pol_MSS_WarningLevel-Applicability-End -->
<!-- Pol_MSS_WarningLevel-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_WarningLevel
```
<!-- Pol_MSS_WarningLevel-OmaUri-End -->
<!-- Pol_MSS_WarningLevel-Description-Begin -->
<!-- Description-Not-Found -->
<!-- Pol_MSS_WarningLevel-Description-End -->
<!-- Pol_MSS_WarningLevel-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Percentage threshold for the security event log at which the system will generate a warning.
<!-- Pol_MSS_WarningLevel-Editable-End -->
<!-- Pol_MSS_WarningLevel-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Pol_MSS_WarningLevel-DFProperties-End -->
<!-- Pol_MSS_WarningLevel-AdmxBacked-Begin -->
<!-- Unknown -->
<!-- Pol_MSS_WarningLevel-AdmxBacked-End -->
<!-- Pol_MSS_WarningLevel-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Pol_MSS_WarningLevel-Examples-End -->
<!-- Pol_MSS_WarningLevel-End -->
<!-- ADMX_MSS-legacy-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_MSS-legacy-CspMoreInfo-End -->
<!-- ADMX_MSS-legacy-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

1145
windows/client-management/mdm/policy-csp-admx-qos.md Normal file
View File

File diff suppressed because it is too large Load Diff

113
windows/client-management/mdm/policy-csp-admx-sam.md Normal file
View File

@ -0,0 +1,113 @@
---
title: ADMX_sam Policy CSP
description: Learn more about the ADMX_sam Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ADMX_sam-Begin -->
# Policy CSP - ADMX_sam
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- ADMX_sam-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_sam-Editable-End -->
<!-- SamNGCKeyROCAValidation-Begin -->
## SamNGCKeyROCAValidation
<!-- SamNGCKeyROCAValidation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- SamNGCKeyROCAValidation-Applicability-End -->
<!-- SamNGCKeyROCAValidation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_sam/SamNGCKeyROCAValidation
```
<!-- SamNGCKeyROCAValidation-OmaUri-End -->
<!-- SamNGCKeyROCAValidation-Description-Begin -->
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.
For more information on the ROCA vulnerability, please see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361
https://en.wikipedia.org/wiki/ROCA_vulnerability
If you enable this policy setting the following options are supported:
Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.
Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).
Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).
This setting only takes effect on domain controllers.
If not configured, domain controllers will default to using their local configuration. The default local configuration is Audit.
A reboot is not required for changes to this setting to take effect.
Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.
More information is available at https://go.microsoft.com/fwlink/?linkid=2116430.
<!-- SamNGCKeyROCAValidation-Description-End -->
<!-- SamNGCKeyROCAValidation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SamNGCKeyROCAValidation-Editable-End -->
<!-- SamNGCKeyROCAValidation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- SamNGCKeyROCAValidation-DFProperties-End -->
<!-- SamNGCKeyROCAValidation-AdmxBacked-Begin -->
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | SamNGCKeyROCAValidation |
| Friendly Name | Configure validation of ROCA-vulnerable WHfB keys during authentication |
| Location | Computer Configuration |
| Path | System > Security Account Manager |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM |
| ADMX File Name | sam.admx |
<!-- SamNGCKeyROCAValidation-AdmxBacked-End -->
<!-- SamNGCKeyROCAValidation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SamNGCKeyROCAValidation-Examples-End -->
<!-- SamNGCKeyROCAValidation-End -->
<!-- ADMX_sam-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_sam-CspMoreInfo-End -->
<!-- ADMX_sam-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

1038
windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md Normal file
View File

File diff suppressed because it is too large Load Diff

1
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -9,6 +9,7 @@ author: vinaypamnani-msft
ms.localizationpriority: medium ms.localizationpriority: medium
ms.reviewer: bobgil ms.reviewer: bobgil
manager: aaroncz manager: aaroncz
ms.date: 12/31/2017
--- ---
# Policy CSP - Authentication # Policy CSP - Authentication

85
windows/client-management/mdm/policy-csp-clouddesktop.md Normal file
View File

@ -0,0 +1,85 @@
---
title: CloudDesktop Policy CSP
description: Learn more about the CloudDesktop Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 12/09/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- CloudDesktop-Begin -->
# Policy CSP - CloudDesktop
<!-- CloudDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-Editable-End -->
<!-- BootToCloudMode-Begin -->
## BootToCloudMode
<!-- BootToCloudMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- BootToCloudMode-Applicability-End -->
<!-- BootToCloudMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode
```
<!-- BootToCloudMode-OmaUri-End -->
<!-- BootToCloudMode-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows the user to configure the boot to cloud mode. Boot to Cloud mode enables users to seamlessly sign-in to a Cloud PC that is provisioned for them by an IT Admin. For using boot to cloud mode, users need to install and configure a Cloud Provider application (eg: Win365) on their PC and need to have a Cloud PC provisioned to them. For successful use of this policy, OverrideShellProgram policy needs to be configured as well.
This policy supports the below options:
1. Not Configured: Machine will not trigger the Cloud PC connection automatically.
2. Enable Boot to Cloud Desktop: The user will see that configured Cloud PC Provider application launches automatically. Once the sign-in operation finishes, the user is seamlessly connected to a provisioned Cloud PC.
<!-- BootToCloudMode-Description-End -->
<!-- BootToCloudMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- BootToCloudMode-Editable-End -->
<!-- BootToCloudMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- BootToCloudMode-DFProperties-End -->
<!-- BootToCloudMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not Configured |
| 1 | Enable Boot to Cloud Desktop |
<!-- BootToCloudMode-AllowedValues-End -->
<!-- BootToCloudMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- BootToCloudMode-Examples-End -->
<!-- BootToCloudMode-End -->
<!-- CloudDesktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-CspMoreInfo-End -->
<!-- CloudDesktop-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

79
windows/client-management/mdm/policy-csp-cloudpc.md Normal file
View File

@ -0,0 +1,79 @@
---
title: CloudPC Policy CSP
description: Learn more about the CloudPC Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- CloudPC-Begin -->
# Policy CSP - CloudPC
<!-- CloudPC-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudPC-Editable-End -->
<!-- CloudPCConfiguration-Begin -->
## CloudPCConfiguration
<!-- CloudPCConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- CloudPCConfiguration-Applicability-End -->
<!-- CloudPCConfiguration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/CloudPC/CloudPCConfiguration
```
<!-- CloudPCConfiguration-OmaUri-End -->
<!-- CloudPCConfiguration-Description-Begin -->
This policy is used by IT admin to set the configuration mode of cloud PC.
<!-- CloudPCConfiguration-Description-End -->
<!-- CloudPCConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudPCConfiguration-Editable-End -->
<!-- CloudPCConfiguration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- CloudPCConfiguration-DFProperties-End -->
<!-- CloudPCConfiguration-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Fast Switching Configuration. |
| 1 | Boot to cloud PC Configuration. |
<!-- CloudPCConfiguration-AllowedValues-End -->
<!-- CloudPCConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CloudPCConfiguration-Examples-End -->
<!-- CloudPCConfiguration-End -->
<!-- CloudPC-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CloudPC-CspMoreInfo-End -->
<!-- CloudPC-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

18
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -9,6 +9,7 @@ author: vinaypamnani-msft
ms.localizationpriority: medium ms.localizationpriority: medium
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.date: 12/31/2017
--- ---
# Policy CSP - ControlPolicyConflict # Policy CSP - ControlPolicyConflict
@ -20,25 +21,16 @@ manager: aaroncz
<!--Policies--> <!--Policies-->
## ControlPolicyConflict policies ## ControlPolicyConflict policies
<dl>
<dd>
<a href="#controlpolicyconflict-mdmwinsovergp">ControlPolicyConflict/MDMWinsOverGP</a>
</dd>
</dl>
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="controlpolicyconflict-mdmwinsovergp"></a>**ControlPolicyConflict/MDMWinsOverGP** <a href="" id="controlpolicyconflict-mdmwinsovergp"></a>**ControlPolicyConflict/MDMWinsOverGP**
> [!NOTE] > [!NOTE]
> This setting doesn't apply to the following types of group policies: > This setting doesn't apply to the following types of group policies:
> >
> - If they don't map to an MDM policy. For example, firewall policies and account lockout policies. > - If they don't map to an MDM policy. For example, Windows Settings > Security Settings > Public Key Policies.
> - If they aren't defined by an ADMX. For example, Password policy - minimum password age. > - If they are group policies that aren't defined by an ADMX template. For example, Windows Settings > Scripts.
> - If they're in the Windows Update category. > - If they have list entries. For example, Administrative Templates > Windows Components > ActiveX Installer Service > Approved Installation Sites for ActiveX Controls.
> - If they have list entries. For example, the Microsoft Edge CookiesAllowedForUrls policy. > - If they are in the Windows Update category.
<!--SupportedSKUs--> <!--SupportedSKUs-->

5119
windows/client-management/mdm/policy-csp-defender.md
View File

File diff suppressed because it is too large Load Diff

6
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -702,11 +702,7 @@ ADMX Info:
<!--Description--> <!--Description-->
Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory. Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory.
When set, the Group ID will be assigned automatically from the selected source. When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
If you set this policy, the GroupID policy will be ignored.
The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored.
For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.

1
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -9,6 +9,7 @@ author: vinaypamnani-msft
ms.localizationpriority: medium ms.localizationpriority: medium
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.date: 12/31/2017
--- ---
# Policy CSP - InternetExplorer # Policy CSP - InternetExplorer

1
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -9,6 +9,7 @@ ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.date: 12/31/2017
--- ---
# Policy CSP - MixedReality # Policy CSP - MixedReality

305
windows/client-management/mdm/policy-csp-msslegacy.md
View File

@ -1,211 +1,210 @@
--- ---
title: Policy CSP - MSSLegacy title: MSSLegacy Policy CSP
description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. description: Learn more about the MSSLegacy Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- MSSLegacy-Begin -->
# Policy CSP - MSSLegacy # Policy CSP - MSSLegacy
<hr/>
<!--Policies-->
## MSSLegacy policies
<dl>
<dd>
<a href="#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes">MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes</a>
</dd>
<dd>
<a href="#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers">MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers</a>
</dd>
<dd>
<a href="#msslegacy-ipsourceroutingprotectionlevel">MSSLegacy/IPSourceRoutingProtectionLevel</a>
</dd>
<dd>
<a href="#msslegacy-ipv6sourceroutingprotectionlevel">MSSLegacy/IPv6SourceRoutingProtectionLevel</a>
</dd>
</dl>
> [!TIP] > [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). > Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> >
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <!-- MSSLegacy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MSSLegacy-Editable-End -->
<!--Policy--> <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Begin -->
<a href="" id="msslegacy-allowicmpredirectstooverrideospfgeneratedroutes"></a>**MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes** ## AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
<!--SupportedSKUs--> <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Applicability-End -->
|Edition|Windows 10|Windows 11| <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-OmaUri-Begin -->
|--- |--- |--- | ```Device
|Home|No|No| ./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
|Pro|Yes|Yes| ```
|Windows SE|No|Yes| <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-OmaUri-End -->
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Description-Begin -->
<hr/> <!-- Description-Not-Found -->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Description-End -->
<!--Scope--> <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Editable-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Allow ICMP redirects to override OSPF generated routes.
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Editable-End -->
> [!div class = "checklist"] <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-DFProperties-Begin -->
> * Device **Description framework properties**:
<hr/> | Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-DFProperties-End -->
<!--/Scope--> <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-AdmxBacked-Begin -->
<!--Description--> <!-- Unknown -->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-AdmxBacked-End -->
<!--/Description--> <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Examples-End -->
<!--ADMXBacked--> <!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-End -->
ADMX Info:
- GP name: *Pol_MSS_EnableICMPRedirect*
- GP ADMX file name: *mss-legacy.admx*
<!--/ADMXBacked--> <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Begin -->
<!--/Policy--> ## AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
<hr/> <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Applicability-End -->
<!--Policy--> <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-OmaUri-Begin -->
<a href="" id="msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers"></a>**MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers** ```Device
./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
```
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-OmaUri-End -->
<!--SupportedSKUs--> <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Description-Begin -->
<!-- Description-Not-Found -->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Description-End -->
|Edition|Windows 10|Windows 11| <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Editable-Begin -->
|--- |--- |--- | <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
|Home|No|No| Allow the computer to ignore NetBIOS name release requests except from WINS servers.
|Pro|Yes|Yes| <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Editable-End -->
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-DFProperties-Begin -->
<hr/> **Description framework properties**:
<!--Scope--> | Property name | Property value |
[Scope](./policy-configuration-service-provider.md#policy-scope): |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-DFProperties-End -->
> [!div class = "checklist"] <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-AdmxBacked-Begin -->
> * Device <!-- Unknown -->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-AdmxBacked-End -->
<hr/> <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Examples-End -->
<!--/Scope--> <!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-End -->
<!--Description-->
<!--/Description--> <!-- IPSourceRoutingProtectionLevel-Begin -->
## IPSourceRoutingProtectionLevel
<!-- IPSourceRoutingProtectionLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- IPSourceRoutingProtectionLevel-Applicability-End -->
<!--ADMXBacked--> <!-- IPSourceRoutingProtectionLevel-OmaUri-Begin -->
ADMX Info: ```Device
- GP name: *Pol_MSS_NoNameReleaseOnDemand* ./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel
- GP ADMX file name: *mss-legacy.admx* ```
<!-- IPSourceRoutingProtectionLevel-OmaUri-End -->
<!--/ADMXBacked--> <!-- IPSourceRoutingProtectionLevel-Description-Begin -->
<!--/Policy--> <!-- Description-Not-Found -->
<!-- IPSourceRoutingProtectionLevel-Description-End -->
<hr/> <!-- IPSourceRoutingProtectionLevel-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
IP source routing protection level (protects against packet spoofing).
<!-- IPSourceRoutingProtectionLevel-Editable-End -->
<!--Policy--> <!-- IPSourceRoutingProtectionLevel-DFProperties-Begin -->
<a href="" id="msslegacy-ipsourceroutingprotectionlevel"></a>**MSSLegacy/IPSourceRoutingProtectionLevel** **Description framework properties**:
<!--SupportedSKUs--> | Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- IPSourceRoutingProtectionLevel-DFProperties-End -->
|Edition|Windows 10|Windows 11| <!-- IPSourceRoutingProtectionLevel-AdmxBacked-Begin -->
|--- |--- |--- | <!-- Unknown -->
|Home|No|No| <!-- IPSourceRoutingProtectionLevel-AdmxBacked-End -->
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- IPSourceRoutingProtectionLevel-Examples-Begin -->
<hr/> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- IPSourceRoutingProtectionLevel-Examples-End -->
<!--Scope--> <!-- IPSourceRoutingProtectionLevel-End -->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] <!-- IPv6SourceRoutingProtectionLevel-Begin -->
> * Device ## IPv6SourceRoutingProtectionLevel
<hr/> <!-- IPv6SourceRoutingProtectionLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- IPv6SourceRoutingProtectionLevel-Applicability-End -->
<!--/Scope--> <!-- IPv6SourceRoutingProtectionLevel-OmaUri-Begin -->
<!--Description--> ```Device
./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel
```
<!-- IPv6SourceRoutingProtectionLevel-OmaUri-End -->
<!--/Description--> <!-- IPv6SourceRoutingProtectionLevel-Description-Begin -->
<!-- Description-Not-Found -->
<!-- IPv6SourceRoutingProtectionLevel-Description-End -->
<!--ADMXBacked--> <!-- IPv6SourceRoutingProtectionLevel-Editable-Begin -->
ADMX Info: <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
- GP name: *Pol_MSS_DisableIPSourceRouting* IPv6 source routing protection level (protects against packet spoofing).
- GP ADMX file name: *mss-legacy.admx* <!-- IPv6SourceRoutingProtectionLevel-Editable-End -->
<!--/ADMXBacked--> <!-- IPv6SourceRoutingProtectionLevel-DFProperties-Begin -->
<!--/Policy--> **Description framework properties**:
<hr/> | Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- IPv6SourceRoutingProtectionLevel-DFProperties-End -->
<!--Policy--> <!-- IPv6SourceRoutingProtectionLevel-AdmxBacked-Begin -->
<a href="" id="msslegacy-ipv6sourceroutingprotectionlevel"></a>**MSSLegacy/IPv6SourceRoutingProtectionLevel** <!-- Unknown -->
<!-- IPv6SourceRoutingProtectionLevel-AdmxBacked-End -->
<!--SupportedSKUs--> <!-- IPv6SourceRoutingProtectionLevel-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- IPv6SourceRoutingProtectionLevel-Examples-End -->
|Edition|Windows 10|Windows 11| <!-- IPv6SourceRoutingProtectionLevel-End -->
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- MSSLegacy-CspMoreInfo-Begin -->
<hr/> <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- MSSLegacy-CspMoreInfo-End -->
<!--Scope--> <!-- MSSLegacy-End -->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] ## Related articles
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_DisableIPSourceRoutingIPv6*
- GP ADMX file name: *mss-legacy.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

96
windows/client-management/mdm/policy-csp-settingssync.md Normal file
View File

@ -0,0 +1,96 @@
---
title: SettingsSync Policy CSP
description: Learn more about the SettingsSync Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- SettingsSync-Begin -->
# Policy CSP - SettingsSync
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- SettingsSync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-Editable-End -->
<!-- DisableAccessibilitySettingSync-Begin -->
## DisableAccessibilitySettingSync
<!-- DisableAccessibilitySettingSync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- DisableAccessibilitySettingSync-Applicability-End -->
<!-- DisableAccessibilitySettingSync-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SettingsSync/DisableAccessibilitySettingSync
```
<!-- DisableAccessibilitySettingSync-OmaUri-End -->
<!-- DisableAccessibilitySettingSync-Description-Begin -->
Prevent the "accessibility" group from syncing to and from this PC. This turns off and disables the "accessibility" group on the "Windows backup" settings page in PC settings.
If you enable this policy setting, the "accessibility", group will not be synced.
Use the option "Allow users to turn accessibility syncing on" so that syncing is turned off by default but not disabled.
If you do not set or disable this setting, syncing of the "accessibility" group is on by default and configurable by the user.
<!-- DisableAccessibilitySettingSync-Description-End -->
<!-- DisableAccessibilitySettingSync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableAccessibilitySettingSync-Editable-End -->
<!-- DisableAccessibilitySettingSync-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- DisableAccessibilitySettingSync-DFProperties-End -->
<!-- DisableAccessibilitySettingSync-AdmxBacked-Begin -->
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | DisableAccessibilitySettingSync |
| Friendly Name | Do not sync accessibility settings |
| Location | Computer Configuration |
| Path | Windows Components > Sync your settings |
| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
| Registry Value Name | DisableAccessibilitySettingSync |
| ADMX File Name | SettingSync.admx |
<!-- DisableAccessibilitySettingSync-AdmxBacked-End -->
<!-- DisableAccessibilitySettingSync-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableAccessibilitySettingSync-Examples-End -->
<!-- DisableAccessibilitySettingSync-End -->
<!-- SettingsSync-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- SettingsSync-CspMoreInfo-End -->
<!-- SettingsSync-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

79
windows/client-management/mdm/policy-csp-stickers.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Stickers Policy CSP
description: Learn more about the Stickers Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- Stickers-Begin -->
# Policy CSP - Stickers
<!-- Stickers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Stickers-Editable-End -->
<!-- EnableStickers-Begin -->
## EnableStickers
<!-- EnableStickers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStickers-Applicability-End -->
<!-- EnableStickers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Stickers/EnableStickers
```
<!-- EnableStickers-OmaUri-End -->
<!-- EnableStickers-Description-Begin -->
This policy setting allows you to control whether you want to allow stickers to be edited and placed on Desktop
<!-- EnableStickers-Description-End -->
<!-- EnableStickers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStickers-Editable-End -->
<!-- EnableStickers-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnableStickers-DFProperties-End -->
<!-- EnableStickers-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- EnableStickers-AllowedValues-End -->
<!-- EnableStickers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStickers-Examples-End -->
<!-- EnableStickers-End -->
<!-- Stickers-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Stickers-CspMoreInfo-End -->
<!-- Stickers-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

6
windows/client-management/mdm/policy-csp-system.md
View File

@ -205,7 +205,7 @@ Windows diagnostic data is collected when the Allow Telemetry policy setting is
If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsofts [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing. If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsofts [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing.
Configuring this setting doesn't change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports.
See the documentation at [ConfigureWDD](https://aka.ms/ConfigureWDD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. See the documentation at [ConfigureWDD](https://aka.ms/ConfigureWDD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data.
@ -700,11 +700,11 @@ To enable this behavior, you must complete three steps:
1. Enable this policy setting. 1. Enable this policy setting.
2. Set **AllowTelemetry** to 1 **Required (Basic)** or above. 2. Set **AllowTelemetry** to 1 **Required (Basic)** or above.
3. Set the Configure the Commercial ID setting for your Update Compliance workspace. 3. If you're using Update Compliance rather than Windows Update for Business reports, set the Configure the Commercial ID setting for your Update Compliance workspace.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
If you disable or don't configure this policy setting, devices won't appear in Update Compliance. If you disable or don't configure this policy setting, devices won't appear in Windows Update for Business reports or Update Compliance.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->

80
windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md Normal file
View File

@ -0,0 +1,80 @@
---
title: TenantDefinedTelemetry Policy CSP
description: Learn more about the TenantDefinedTelemetry Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/02/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- TenantDefinedTelemetry-Begin -->
# Policy CSP - TenantDefinedTelemetry
<!-- TenantDefinedTelemetry-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TenantDefinedTelemetry-Editable-End -->
<!-- CustomTelemetryId-Begin -->
## CustomTelemetryId
<!-- CustomTelemetryId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- CustomTelemetryId-Applicability-End -->
<!-- CustomTelemetryId-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/TenantDefinedTelemetry/CustomTelemetryId
```
<!-- CustomTelemetryId-OmaUri-End -->
<!-- CustomTelemetryId-Description-Begin -->
This policy is used to let mission control what type of Edition we are currently in.
<!-- CustomTelemetryId-Description-End -->
<!-- CustomTelemetryId-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CustomTelemetryId-Editable-End -->
<!-- CustomTelemetryId-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- CustomTelemetryId-DFProperties-End -->
<!-- CustomTelemetryId-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Base |
| 1 | Education |
| 2 | Commercial |
<!-- CustomTelemetryId-AllowedValues-End -->
<!-- CustomTelemetryId-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CustomTelemetryId-Examples-End -->
<!-- CustomTelemetryId-End -->
<!-- TenantDefinedTelemetry-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- TenantDefinedTelemetry-CspMoreInfo-End -->
<!-- TenantDefinedTelemetry-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

98
windows/client-management/mdm/policy-csp-tenantrestrictions.md Normal file
View File

@ -0,0 +1,98 @@
---
title: TenantRestrictions Policy CSP
description: Learn more about the TenantRestrictions Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 11/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- TenantRestrictions-Begin -->
# Policy CSP - TenantRestrictions
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- TenantRestrictions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TenantRestrictions-Editable-End -->
<!-- ConfigureTenantRestrictions-Begin -->
## ConfigureTenantRestrictions
<!-- ConfigureTenantRestrictions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later <br> :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later <br> :heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- ConfigureTenantRestrictions-Applicability-End -->
<!-- ConfigureTenantRestrictions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/TenantRestrictions/ConfigureTenantRestrictions
```
<!-- ConfigureTenantRestrictions-OmaUri-End -->
<!-- ConfigureTenantRestrictions-Description-Begin -->
This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.
When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.
Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.
https://go.microsoft.com/fwlink/?linkid=2148762
Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information.
For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230
<!-- ConfigureTenantRestrictions-Description-End -->
<!-- ConfigureTenantRestrictions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureTenantRestrictions-Editable-End -->
<!-- ConfigureTenantRestrictions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureTenantRestrictions-DFProperties-End -->
<!-- ConfigureTenantRestrictions-AdmxBacked-Begin -->
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | trv2_payload |
| Friendly Name | Cloud Policy Details |
| Location | Computer Configuration |
| Path | Windows Components > Tenant Restrictions |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload |
| ADMX File Name | TenantRestrictions.admx |
<!-- ConfigureTenantRestrictions-AdmxBacked-End -->
<!-- ConfigureTenantRestrictions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureTenantRestrictions-Examples-End -->
<!-- ConfigureTenantRestrictions-End -->
<!-- TenantRestrictions-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- TenantRestrictions-CspMoreInfo-End -->
<!-- TenantRestrictions-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

23
windows/client-management/mdm/policy-csp-update.md
View File

@ -2988,6 +2988,9 @@ The table below shows the applicability of Windows:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the day of the update installation. Enables the IT admin to schedule the day of the update installation.
Supported data type is an integer. Supported data type is an integer.
@ -3049,6 +3052,9 @@ The table below shows the applicability of Windows:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on every week. Enables the IT admin to schedule the update installation on every week.
Supported Value type is integer. Supported Value type is integer.
@ -3100,6 +3106,9 @@ The table below shows the applicability of Windows:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on the first week of the month. Enables the IT admin to schedule the update installation on the first week of the month.
Supported value type is integer. Supported value type is integer.
@ -3151,6 +3160,9 @@ The table below shows the applicability of Windows:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on the fourth week of the month. Enables the IT admin to schedule the update installation on the fourth week of the month.
Supported value type is integer. Supported value type is integer.
@ -3202,9 +3214,12 @@ The table below shows the applicability of Windows:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on the second week of the month. Enables the IT admin to schedule the update installation on the second week of the month.
Supported vlue type is integer. Supported value type is integer.
Supported values: Supported values:
@ -3254,6 +3269,9 @@ The table below shows the applicability of Windows:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the update installation on the third week of the month. Enables the IT admin to schedule the update installation on the third week of the month.
Supported value type is integer. Supported value type is integer.
@ -3305,6 +3323,9 @@ The table below shows the applicability of Windows:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation. Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation.
The supported data type is an integer. The supported data type is an integer.

840
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -1,267 +1,280 @@
--- ---
title: Policy CSP - WindowsLogon title: WindowsLogon Policy CSP
description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts. description: Learn more about the WindowsLogon Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/09/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- WindowsLogon-Begin -->
# Policy CSP - WindowsLogon # Policy CSP - WindowsLogon
<hr/>
<!--Policies-->
## WindowsLogon policies
<dl>
<dd>
<a href="#windowslogon-allowautomaticrestartsignon">WindowsLogon/AllowAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="#windowslogon-configautomaticrestartsignon">WindowsLogon/ConfigAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="#windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
</dd>
<dd>
<a href="#windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
</dd>
<dd>
<a href="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
</dd>
<dd>
<a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
<dd>
<a href="#windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
</dd>
</dl>
> [!TIP] > [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). > Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> >
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <!-- WindowsLogon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsLogon-Editable-End -->
<!--Policy--> <!-- AllowAutomaticRestartSignOn-Begin -->
<a href="" id="windowslogon-allowautomaticrestartsignon"></a>**WindowsLogon/AllowAutomaticRestartSignOn** ## AllowAutomaticRestartSignOn
<!--SupportedSKUs--> <!-- AllowAutomaticRestartSignOn-Applicability-Begin -->
The table below shows the applicability of Windows: | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- AllowAutomaticRestartSignOn-Applicability-End -->
|Edition|Windows 10|Windows 11| <!-- AllowAutomaticRestartSignOn-OmaUri-Begin -->
|--- |--- |--- | ```Device
|Home|Yes|Yes| ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn
|Pro|Yes|Yes| ```
|Windows SE|No|Yes| <!-- AllowAutomaticRestartSignOn-OmaUri-End -->
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- AllowAutomaticRestartSignOn-Description-Begin -->
<hr/> <!-- Description-Source-ADMX -->
This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot.
<!--Scope--> This only occurs if the last interactive user didnt sign out before the restart or shutdown.
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
> * Device
<hr/> If you dont configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
<!--/Scope--> After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot.
<!--Description-->
This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot.
This scenario occurs only if the last interactive user didn't sign out before the restart or shutdown. If you disable this policy setting, the device does not configure automatic sign in. The users lock screen apps are not restarted after the system restarts.
<!-- AllowAutomaticRestartSignOn-Description-End -->
If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns. <!-- AllowAutomaticRestartSignOn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowAutomaticRestartSignOn-Editable-End -->
If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. <!-- AllowAutomaticRestartSignOn-DFProperties-Begin -->
**Description framework properties**:
After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot. | Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowAutomaticRestartSignOn-DFProperties-End -->
If you disable this policy setting, the device doesn't configure automatic sign in. The users lock screen apps aren't restarted after the system restarts. <!-- AllowAutomaticRestartSignOn-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--/Description--> **ADMX mapping**:
<!--ADMXBacked--> | Name | Value |
ADMX Info: |:--|:--|
- GP Friendly name: *Sign-in and lock last interactive user automatically after a restart* | Name | AutomaticRestartSignOnDescription |
- GP name: *AutomaticRestartSignOn* | Friendly Name | Sign-in and lock last interactive user automatically after a restart |
- GP path: *Windows Components/Windows Logon Options* | Location | Computer Configuration |
- GP ADMX file name: *WinLogon.admx* | Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | DisableAutomaticRestartSignOn |
| ADMX File Name | WinLogon.admx |
<!-- AllowAutomaticRestartSignOn-AdmxBacked-End -->
<!--/ADMXBacked--> <!-- AllowAutomaticRestartSignOn-Examples-Begin -->
<!--SupportedValues--> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowAutomaticRestartSignOn-Examples-End -->
<!--/SupportedValues--> <!-- AllowAutomaticRestartSignOn-End -->
<!--Example-->
<!--/Example--> <!-- ConfigAutomaticRestartSignOn-Begin -->
<!--Validation--> ## ConfigAutomaticRestartSignOn
<!--/Validation--> <!-- ConfigAutomaticRestartSignOn-Applicability-Begin -->
<!--/Policy--> | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigAutomaticRestartSignOn-Applicability-End -->
<hr/> <!-- ConfigAutomaticRestartSignOn-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/ConfigAutomaticRestartSignOn
```
<!-- ConfigAutomaticRestartSignOn-OmaUri-End -->
<!--Policy--> <!-- ConfigAutomaticRestartSignOn-Description-Begin -->
<a href="" id="windowslogon-configautomaticrestartsignon"></a>**WindowsLogon/ConfigAutomaticRestartSignOn** <!-- Description-Source-ADMX -->
This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured.
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration under which an automatic restart, sign in, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign in doesn't occur and this policy need not be configured.
If you enable this policy setting, you can choose one of the following two options: If you enable this policy setting, you can choose one of the following two options:
- Enabled if BitLocker is on and not suspended: Specifies that automatic sign in and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the devices hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. 1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the devices hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
BitLocker is suspended during updates if: BitLocker is suspended during updates if:
- The device doesn't have TPM 2.0 and PCR7 - The device doesnt have TPM 2.0 and PCR7, or
- The device doesn't use a TPM-only protector - The device doesnt use a TPM-only protector
- Always Enabled: Specifies that automatic sign in happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign in should only be run under this condition if you're confident that the configured device is in a secure physical location. 2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.
If you disable or don't configure this setting, automatic sign in defaults to the “Enabled if BitLocker is on and not suspended” behavior. If you disable or dont configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior.
<!-- ConfigAutomaticRestartSignOn-Description-End -->
<!--/Description--> <!-- ConfigAutomaticRestartSignOn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigAutomaticRestartSignOn-Editable-End -->
<!--ADMXBacked--> <!-- ConfigAutomaticRestartSignOn-DFProperties-Begin -->
ADMX Info: **Description framework properties**:
- GP Friendly name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot*
- GP name: *ConfigAutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked--> | Property name | Property value |
<!--SupportedValues--> |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigAutomaticRestartSignOn-DFProperties-End -->
<!--/SupportedValues--> <!-- ConfigAutomaticRestartSignOn-AdmxBacked-Begin -->
<!--Example--> > [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--/Example--> **ADMX mapping**:
<!--Validation-->
<!--/Validation--> | Name | Value |
<!--/Policy--> |:--|:--|
| Name | ConfigAutomaticRestartSignOnDescription |
| Friendly Name | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| ADMX File Name | WinLogon.admx |
<!-- ConfigAutomaticRestartSignOn-AdmxBacked-End -->
<hr/> <!-- ConfigAutomaticRestartSignOn-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigAutomaticRestartSignOn-Examples-End -->
<!--Policy--> <!-- ConfigAutomaticRestartSignOn-End -->
<a href="" id="windowslogon-disablelockscreenappnotifications"></a>**WindowsLogon/DisableLockScreenAppNotifications**
<!--SupportedSKUs--> <!-- DisableLockScreenAppNotifications-Begin -->
The table below shows the applicability of Windows: ## DisableLockScreenAppNotifications
|Edition|Windows 10|Windows 11| <!-- DisableLockScreenAppNotifications-Applicability-Begin -->
|--- |--- |--- | | Scope | Editions | Applicable OS |
|Home|No|No| |:--|:--|:--|
|Pro|Yes|Yes| | :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
|Windows SE|No|Yes| <!-- DisableLockScreenAppNotifications-Applicability-End -->
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- DisableLockScreenAppNotifications-OmaUri-Begin -->
<hr/> ```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications
```
<!-- DisableLockScreenAppNotifications-OmaUri-End -->
<!--Scope--> <!-- DisableLockScreenAppNotifications-Description-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): <!-- Description-Source-ADMX -->
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to prevent app notifications from appearing on the lock screen. This policy setting allows you to prevent app notifications from appearing on the lock screen.
If you enable this policy setting, no app notifications are displayed on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or don't configure this policy setting, users can choose which apps display notifications on the lock screen. If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
<!-- DisableLockScreenAppNotifications-Description-End -->
<!--/Description--> <!-- DisableLockScreenAppNotifications-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableLockScreenAppNotifications-Editable-End -->
<!--ADMXBacked--> <!-- DisableLockScreenAppNotifications-DFProperties-Begin -->
ADMX Info: **Description framework properties**:
- GP Friendly name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!--/ADMXBacked--> | Property name | Property value |
<!--/Policy--> |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- DisableLockScreenAppNotifications-DFProperties-End -->
<hr/> <!-- DisableLockScreenAppNotifications-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy--> **ADMX mapping**:
<a href="" id="windowslogon-dontdisplaynetworkselectionui"></a>**WindowsLogon/DontDisplayNetworkSelectionUI**
<!--SupportedSKUs--> | Name | Value |
The table below shows the applicability of Windows: |:--|:--|
| Name | DisableLockScreenAppNotifications |
| Friendly Name | Turn off app notifications on the lock screen |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | DisableLockScreenAppNotifications |
| ADMX File Name | Logon.admx |
<!-- DisableLockScreenAppNotifications-AdmxBacked-End -->
|Edition|Windows 10|Windows 11| <!-- DisableLockScreenAppNotifications-Examples-Begin -->
|--- |--- |--- | <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
|Home|No|No| <!-- DisableLockScreenAppNotifications-Examples-End -->
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- DisableLockScreenAppNotifications-End -->
<hr/>
<!--Scope--> <!-- DontDisplayNetworkSelectionUI-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): ## DontDisplayNetworkSelectionUI
> [!div class = "checklist"] <!-- DontDisplayNetworkSelectionUI-Applicability-Begin -->
> * Device | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- DontDisplayNetworkSelectionUI-Applicability-End -->
<hr/> <!-- DontDisplayNetworkSelectionUI-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI
```
<!-- DontDisplayNetworkSelectionUI-OmaUri-End -->
<!--/Scope--> <!-- DontDisplayNetworkSelectionUI-Description-Begin -->
<!--Description--> <!-- Description-Source-ADMX -->
This policy setting allows you to control whether anyone can interact with available networks UI on the sign-in screen. This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
If you enable this policy setting, the PC's network connectivity state can't be changed without signing into Windows. If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
<!-- DontDisplayNetworkSelectionUI-Description-End -->
<!-- DontDisplayNetworkSelectionUI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DontDisplayNetworkSelectionUI-Editable-End -->
<!-- DontDisplayNetworkSelectionUI-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- DontDisplayNetworkSelectionUI-DFProperties-End -->
<!-- DontDisplayNetworkSelectionUI-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | DontDisplayNetworkSelectionUI |
| Friendly Name | Do not display network selection UI |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | DontDisplayNetworkSelectionUI |
| ADMX File Name | Logon.admx |
<!-- DontDisplayNetworkSelectionUI-AdmxBacked-End -->
<!-- DontDisplayNetworkSelectionUI-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**Example**:
Here's an example to enable this policy: Here's an example to enable this policy:
@ -287,236 +300,333 @@ Here's an example to enable this policy:
</SyncBody> </SyncBody>
</SyncML> </SyncML>
``` ```
<!-- DontDisplayNetworkSelectionUI-Examples-End -->
<!--/Description--> <!-- DontDisplayNetworkSelectionUI-End -->
<!--ADMXBacked--> <!-- EnableFirstLogonAnimation-Begin -->
ADMX Info: ## EnableFirstLogonAnimation
- GP Friendly name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!--/ADMXBacked--> <!-- EnableFirstLogonAnimation-Applicability-Begin -->
<!--/Policy--> | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- EnableFirstLogonAnimation-Applicability-End -->
<hr/> <!-- EnableFirstLogonAnimation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation
```
<!-- EnableFirstLogonAnimation-OmaUri-End -->
<!--Policy--> <!-- EnableFirstLogonAnimation-Description-Begin -->
<a href="" id="windowslogon-enablefirstlogonanimation"></a>**WindowsLogon/EnableFirstLogonAnimation** <!-- Description-Source-ADMX -->
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in.
<!--SupportedSKUs--> If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11| If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services.
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation.
<hr/>
<!--Scope--> Note: The first sign-in animation will not be shown on Server, so this policy will have no effect.
[Scope](./policy-configuration-service-provider.md#policy-scope): <!-- EnableFirstLogonAnimation-Description-End -->
> [!div class = "checklist"] <!-- EnableFirstLogonAnimation-Editable-Begin -->
> * Device <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableFirstLogonAnimation-Editable-End -->
<hr/> <!-- EnableFirstLogonAnimation-DFProperties-Begin -->
**Description framework properties**:
<!--/Scope--> | Property name | Property value |
<!--Description--> |:--|:--|
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This view applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. | Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableFirstLogonAnimation-DFProperties-End -->
If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation. <!-- EnableFirstLogonAnimation-AllowedValues-Begin -->
**Allowed values**:
If you disable this policy setting, users don't see the animation and Microsoft account users don't see the opt-in prompt for services. | Value | Description |
|:--|:--|
| 0 | Disabled. |
| 1 (Default) | Enabled. |
<!-- EnableFirstLogonAnimation-AllowedValues-End -->
If you don't configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting isn't configured, users new to this computer don't see the animation. <!-- EnableFirstLogonAnimation-GpMapping-Begin -->
**Group policy mapping**:
> [!NOTE] | Name | Value |
> The first sign-in animation isn't displayed on Server, so this policy has no effect. |:--|:--|
| Name | EnableFirstLogonAnimation |
| Friendly Name | Show first sign-in animation |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | EnableFirstLogonAnimation |
| ADMX File Name | Logon.admx |
<!-- EnableFirstLogonAnimation-GpMapping-End -->
<!--/Description--> <!-- EnableFirstLogonAnimation-Examples-Begin -->
<!--ADMXMapped--> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
ADMX Info: <!-- EnableFirstLogonAnimation-Examples-End -->
- GP Friendly name: *Show first sign-in animation*
- GP name: *EnableFirstLogonAnimation*
- GP path: *System/Logon*
- GP ADMX file name: *Logon.admx*
<!--/ADMXMapped--> <!-- EnableFirstLogonAnimation-End -->
<!--SupportedValues-->
Supported values:
- 0 - disabled
- 1 - enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example--> <!-- EnableMPRNotifications-Begin -->
<!--Validation--> ## EnableMPRNotifications
<!--/Validation--> <!-- EnableMPRNotifications-Applicability-Begin -->
<!--/Policy--> | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableMPRNotifications-Applicability-End -->
<hr/> <!-- EnableMPRNotifications-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableMPRNotifications
```
<!-- EnableMPRNotifications-OmaUri-End -->
<!--Policy--> <!-- EnableMPRNotifications-Description-Begin -->
<a href="" id="windowslogon-enablemprnotifications"></a>**WindowsLogon/EnableMPRNotifications** <!-- Description-Source-ADMX -->
This policy controls the configuration under which winlogon sends MPR notifications in the system.
<!--SupportedSKUs--> If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11| If you disable this setting, winlogon does not send MPR notifications.
|--- |--- |--- | <!-- EnableMPRNotifications-Description-End -->
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- EnableMPRNotifications-Editable-Begin -->
<hr/> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableMPRNotifications-Editable-End -->
<!--Scope--> <!-- EnableMPRNotifications-DFProperties-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): **Description framework properties**:
> [!div class = "checklist"] | Property name | Property value |
> * Device |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableMPRNotifications-DFProperties-End -->
<hr/> <!-- EnableMPRNotifications-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--/Scope--> **ADMX mapping**:
<!--Description-->
This policy allows winlogon to send MPR notifications in the system if a credential manager is configured.
If you disable (0), MPR notifications will not be sent by winlogon. | Name | Value |
|:--|:--|
| Name | EnableMPRNotifications |
| Friendly Name | Enable MPR notifications for the system |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | EnableMPR |
| ADMX File Name | WinLogon.admx |
<!-- EnableMPRNotifications-AdmxBacked-End -->
If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon. <!-- EnableMPRNotifications-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableMPRNotifications-Examples-End -->
<!--/Description--> <!-- EnableMPRNotifications-End -->
<!--SupportedValues-->
Supported values:
- 0 - disabled <!-- EnumerateLocalUsersOnDomainJoinedComputers-Begin -->
- 1 (default)- enabled ## EnumerateLocalUsersOnDomainJoinedComputers
<!--/SupportedValues-->
<!--/Policy--> <!-- EnumerateLocalUsersOnDomainJoinedComputers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Applicability-End -->
<hr/> <!-- EnumerateLocalUsersOnDomainJoinedComputers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
```
<!-- EnumerateLocalUsersOnDomainJoinedComputers-OmaUri-End -->
<!--Policy--> <!-- EnumerateLocalUsersOnDomainJoinedComputers-Description-Begin -->
<a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** <!-- Description-Source-ADMX -->
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows local users to be enumerated on domain-joined computers. This policy setting allows local users to be enumerated on domain-joined computers.
If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers.
If you disable or don't configure this policy setting, the Logon UI won't enumerate local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Description-End -->
<!--/Description--> <!-- EnumerateLocalUsersOnDomainJoinedComputers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnumerateLocalUsersOnDomainJoinedComputers-Editable-End -->
<!--ADMXBacked--> <!-- EnumerateLocalUsersOnDomainJoinedComputers-DFProperties-Begin -->
ADMX Info: **Description framework properties**:
- GP Friendly name: *Enumerate local users on domain-joined computers*
- GP name: *EnumerateLocalUsers*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!--/ADMXBacked--> | Property name | Property value |
<!--/Policy--> |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnumerateLocalUsersOnDomainJoinedComputers-DFProperties-End -->
<hr/> <!-- EnumerateLocalUsersOnDomainJoinedComputers-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy--> **ADMX mapping**:
<a href="" id="windowslogon-hidefastuserswitching"></a>**WindowsLogon/HideFastUserSwitching**
<!--SupportedSKUs--> | Name | Value |
The table below shows the applicability of Windows: |:--|:--|
| Name | EnumerateLocalUsers |
| Friendly Name | Enumerate local users on domain-joined computers |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | EnumerateLocalUsers |
| ADMX File Name | Logon.admx |
<!-- EnumerateLocalUsersOnDomainJoinedComputers-AdmxBacked-End -->
|Edition|Windows 10|Windows 11| <!-- EnumerateLocalUsersOnDomainJoinedComputers-Examples-Begin -->
|--- |--- |--- | <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
|Home|No|No| <!-- EnumerateLocalUsersOnDomainJoinedComputers-Examples-End -->
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- EnumerateLocalUsersOnDomainJoinedComputers-End -->
<hr/>
<!--Scope--> <!-- HideFastUserSwitching-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): ## HideFastUserSwitching
> [!div class = "checklist"] <!-- HideFastUserSwitching-Applicability-Begin -->
> * Device | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- HideFastUserSwitching-Applicability-End -->
<hr/> <!-- HideFastUserSwitching-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching
```
<!-- HideFastUserSwitching-OmaUri-End -->
<!--/Scope--> <!-- HideFastUserSwitching-Description-Begin -->
<!--Description--> <!-- Description-Source-ADMX -->
This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or don't configure this policy setting, the Switch account button is accessible to the user in the three locations. This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager.
<!--/Description--> If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied.
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Hide entry points for Fast User Switching*
- GP name: *HideFastUserSwitching*
- GP path: *System/Logon*
- GP ADMX file name: *Logon.admx*
<!--/ADMXMapped--> The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager.
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Disabled (visible). If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
- 1 - Enabled (hidden). <!-- HideFastUserSwitching-Description-End -->
<!--/SupportedValues--> <!-- HideFastUserSwitching-Editable-Begin -->
<!--Validation--> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
To validate on Desktop, do the following steps: <!-- HideFastUserSwitching-Editable-End -->
1. Enable policy. <!-- HideFastUserSwitching-DFProperties-Begin -->
2. Verify that the Switch account button in Start is hidden. **Description framework properties**:
<!--/Validation--> | Property name | Property value |
<!--/Policy--> |:--|:--|
<hr/> | Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- HideFastUserSwitching-DFProperties-End -->
<!--/Policies--> <!-- HideFastUserSwitching-AllowedValues-Begin -->
**Allowed values**:
## Related topics | Value | Description |
|:--|:--|
| 0 (Default) | Disabled (visible). |
| 1 | Enabled (hidden). |
<!-- HideFastUserSwitching-AllowedValues-End -->
<!-- HideFastUserSwitching-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | HideFastUserSwitching |
| Friendly Name | Hide entry points for Fast User Switching |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | HideFastUserSwitching |
| ADMX File Name | Logon.admx |
<!-- HideFastUserSwitching-GpMapping-End -->
<!-- HideFastUserSwitching-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- HideFastUserSwitching-Examples-End -->
<!-- HideFastUserSwitching-End -->
<!-- OverrideShellProgram-Begin -->
## OverrideShellProgram
<!-- OverrideShellProgram-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- OverrideShellProgram-Applicability-End -->
<!-- OverrideShellProgram-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram
```
<!-- OverrideShellProgram-OmaUri-End -->
<!-- OverrideShellProgram-Description-Begin -->
<!-- Description-Source-DDF -->
OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program.
The policy currently supports below options:
1. Not Configured: Default shell will be launched.
2. Apply Lightweight Shell: Lightweight shell does not have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell.
If you disable or do not configure this policy setting, then the default shell will be launched.
<!-- OverrideShellProgram-Description-End -->
<!-- OverrideShellProgram-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideShellProgram-Editable-End -->
<!-- OverrideShellProgram-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
| Dependency [BootToCloudModeDependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- OverrideShellProgram-DFProperties-End -->
<!-- OverrideShellProgram-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not Configured |
| 1 | Apply Lightweight shell |
<!-- OverrideShellProgram-AllowedValues-End -->
<!-- OverrideShellProgram-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideShellProgram-Examples-End -->
<!-- OverrideShellProgram-End -->
<!-- WindowsLogon-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- WindowsLogon-CspMoreInfo-End -->
<!-- WindowsLogon-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

34
windows/client-management/mdm/toc.yml
View File

@ -1,5 +1,5 @@
items: items:
- name: Configuration service provider reference - name: Configuration service provider reference
href: index.yml href: index.yml
expanded: true expanded: true
items: items:
@ -128,8 +128,6 @@ items:
href: policy-csp-admx-eaime.md href: policy-csp-admx-eaime.md
- name: ADMX_EncryptFilesonMove - name: ADMX_EncryptFilesonMove
href: policy-csp-admx-encryptfilesonmove.md href: policy-csp-admx-encryptfilesonmove.md
- name: ADMX_EventLogging
href: policy-csp-admx-eventlogging.md
- name: ADMX_EnhancedStorage - name: ADMX_EnhancedStorage
href: policy-csp-admx-enhancedstorage.md href: policy-csp-admx-enhancedstorage.md
- name: ADMX_ErrorReporting - name: ADMX_ErrorReporting
@ -138,6 +136,8 @@ items:
href: policy-csp-admx-eventforwarding.md href: policy-csp-admx-eventforwarding.md
- name: ADMX_EventLog - name: ADMX_EventLog
href: policy-csp-admx-eventlog.md href: policy-csp-admx-eventlog.md
- name: ADMX_EventLogging
href: policy-csp-admx-eventlogging.md
- name: ADMX_EventViewer - name: ADMX_EventViewer
href: policy-csp-admx-eventviewer.md href: policy-csp-admx-eventviewer.md
- name: ADMX_Explorer - name: ADMX_Explorer
@ -210,6 +210,8 @@ items:
href: policy-csp-admx-msi.md href: policy-csp-admx-msi.md
- name: ADMX_MsiFileRecovery - name: ADMX_MsiFileRecovery
href: policy-csp-admx-msifilerecovery.md href: policy-csp-admx-msifilerecovery.md
- name: ADMX_MSS-legacy
href: policy-csp-admx-mss-legacy.md
- name: ADMX_nca - name: ADMX_nca
href: policy-csp-admx-nca.md href: policy-csp-admx-nca.md
- name: ADMX_NCSI - name: ADMX_NCSI
@ -240,6 +242,8 @@ items:
href: policy-csp-admx-printing2.md href: policy-csp-admx-printing2.md
- name: ADMX_Programs - name: ADMX_Programs
href: policy-csp-admx-programs.md href: policy-csp-admx-programs.md
- name: ADMX_QOS
href: policy-csp-admx-qos.md
- name: ADMX_Reliability - name: ADMX_Reliability
href: policy-csp-admx-reliability.md href: policy-csp-admx-reliability.md
- name: ADMX_RemoteAssistance - name: ADMX_RemoteAssistance
@ -248,6 +252,8 @@ items:
href: policy-csp-admx-removablestorage.md href: policy-csp-admx-removablestorage.md
- name: ADMX_RPC - name: ADMX_RPC
href: policy-csp-admx-rpc.md href: policy-csp-admx-rpc.md
- name: ADMX_sam
href: policy-csp-admx-sam.md
- name: ADMX_Scripts - name: ADMX_Scripts
href: policy-csp-admx-scripts.md href: policy-csp-admx-scripts.md
- name: ADMX_sdiageng - name: ADMX_sdiageng
@ -278,6 +284,8 @@ items:
href: policy-csp-admx-startmenu.md href: policy-csp-admx-startmenu.md
- name: ADMX_SystemRestore - name: ADMX_SystemRestore
href: policy-csp-admx-systemrestore.md href: policy-csp-admx-systemrestore.md
- name: ADMX_TabletPCInputPanel
href: policy-csp-admx-tabletpcinputpanel.md
- name: ADMX_TabletShell - name: ADMX_TabletShell
href: policy-csp-admx-tabletshell.md href: policy-csp-admx-tabletshell.md
- name: ADMX_Taskbar - name: ADMX_Taskbar
@ -320,8 +328,6 @@ items:
href: policy-csp-admx-wininit.md href: policy-csp-admx-wininit.md
- name: ADMX_WinLogon - name: ADMX_WinLogon
href: policy-csp-admx-winlogon.md href: policy-csp-admx-winlogon.md
- name: ADMX-Winsrv
href: policy-csp-admx-winsrv.md
- name: ADMX_wlansvc - name: ADMX_wlansvc
href: policy-csp-admx-wlansvc.md href: policy-csp-admx-wlansvc.md
- name: ADMX_WordWheel - name: ADMX_WordWheel
@ -330,6 +336,8 @@ items:
href: policy-csp-admx-workfoldersclient.md href: policy-csp-admx-workfoldersclient.md
- name: ADMX_WPN - name: ADMX_WPN
href: policy-csp-admx-wpn.md href: policy-csp-admx-wpn.md
- name: ADMX-Winsrv
href: policy-csp-admx-winsrv.md
- name: ApplicationDefaults - name: ApplicationDefaults
href: policy-csp-applicationdefaults.md href: policy-csp-applicationdefaults.md
- name: ApplicationManagement - name: ApplicationManagement
@ -358,14 +366,18 @@ items:
href: policy-csp-camera.md href: policy-csp-camera.md
- name: Cellular - name: Cellular
href: policy-csp-cellular.md href: policy-csp-cellular.md
- name: CloudDesktop
href: policy-csp-clouddesktop.md
- name: CloudPC
href: policy-csp-cloudpc.md
- name: Connectivity - name: Connectivity
href: policy-csp-connectivity.md href: policy-csp-connectivity.md
- name: ControlPolicyConflict - name: ControlPolicyConflict
href: policy-csp-controlpolicyconflict.md href: policy-csp-controlpolicyconflict.md
- name: CredentialsDelegation
href: policy-csp-credentialsdelegation.md
- name: CredentialProviders - name: CredentialProviders
href: policy-csp-credentialproviders.md href: policy-csp-credentialproviders.md
- name: CredentialsDelegation
href: policy-csp-credentialsdelegation.md
- name: CredentialsUI - name: CredentialsUI
href: policy-csp-credentialsui.md href: policy-csp-credentialsui.md
- name: Cryptography - name: Cryptography
@ -488,10 +500,14 @@ items:
href: policy-csp-servicecontrolmanager.md href: policy-csp-servicecontrolmanager.md
- name: Settings - name: Settings
href: policy-csp-settings.md href: policy-csp-settings.md
- name: SettingsSync
href: policy-csp-settingssync.md
- name: Speech - name: Speech
href: policy-csp-speech.md href: policy-csp-speech.md
- name: Start - name: Start
href: policy-csp-start.md href: policy-csp-start.md
- name: Stickers
href: policy-csp-stickers.md
- name: Storage - name: Storage
href: policy-csp-storage.md href: policy-csp-storage.md
- name: System - name: System
@ -502,6 +518,10 @@ items:
href: policy-csp-taskmanager.md href: policy-csp-taskmanager.md
- name: TaskScheduler - name: TaskScheduler
href: policy-csp-taskscheduler.md href: policy-csp-taskscheduler.md
- name: TenantDefinedTelemetry
href: policy-csp-tenantdefinedtelemetry.md
- name: TenantRestrictions
href: policy-csp-tenantrestrictions.md
- name: TextInput - name: TextInput
href: policy-csp-textinput.md href: policy-csp-textinput.md
- name: TimeLanguageSettings - name: TimeLanguageSettings

6
windows/client-management/new-in-windows-mdm-enrollment-management.md
View File

@ -348,9 +348,9 @@ No. Only one MDM is allowed.
Entry | Description Entry | Description
--------------- | -------------------- --------------- | --------------------
What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service doesn't send telemetry.| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
## Change history for MDM documentation ## Change history for MDM documentation

2
windows/configuration/cortana-at-work/cortana-at-work-overview.md
View File

@ -8,6 +8,8 @@ author: aczechowski
ms.localizationpriority: medium ms.localizationpriority: medium
ms.author: aaroncz ms.author: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
--- ---
# Configure Cortana in Windows 10 and Windows 11 # Configure Cortana in Windows 10 and Windows 11

2
windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
View File

@ -8,6 +8,8 @@ ms.author: aaroncz
ms.reviewer: ms.reviewer:
manager: dougeby manager: dougeby
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
--- ---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization

2
windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
View File

@ -8,6 +8,8 @@ ms.author: aaroncz
ms.reviewer: ms.reviewer:
manager: dougeby manager: dougeby
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
--- ---
# Test scenario 1 Sign into Azure AD, enable the wake word, and try a voice query # Test scenario 1 Sign into Azure AD, enable the wake word, and try a voice query

2
windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
View File

@ -8,6 +8,8 @@ author: aczechowski
ms.localizationpriority: medium ms.localizationpriority: medium
ms.author: aaroncz ms.author: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
--- ---
# Set up and test Cortana in Windows 10, version 2004 and later # Set up and test Cortana in Windows 10, version 2004 and later

13
windows/configuration/customize-start-menu-layout-windows-11.md
View File

@ -9,6 +9,8 @@ author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
--- ---
# Customize the Start menu layout on Windows 11 # Customize the Start menu layout on Windows 11
@ -62,16 +64,9 @@ Start has the following areas:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar` - `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
- `User Configuration\Administrative Templates\Start Menu and Taskbar` - `User Configuration\Administrative Templates\Start Menu and Taskbar`
- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file. - **Recommended**: Shows recently opened files and recently installed apps. This section can only be customized in Windows 11 SE using the following policy.
The [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) exposes settings that prevent files from showing in this section. This CSP also hides recent files that show from the taskbar. - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Recommended section from Start Menu`
In **Intune**, you can configure this feature, and more. For more information on the Start menu settings you can configure in an Intune policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
- `User Configuration\Administrative Templates\Start Menu and Taskbar`
## Create the JSON file ## Create the JSON file

2
windows/configuration/customize-taskbar-windows-11.md
View File

@ -9,6 +9,8 @@ author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
--- ---
# Customize the Taskbar on Windows 11 # Customize the Taskbar on Windows 11

1
windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
View File

@ -10,6 +10,7 @@ ms.author: lizlong
ms.topic: article ms.topic: article
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Customize Windows 10 Start and taskbar with Group Policy # Customize Windows 10 Start and taskbar with Group Policy

1
windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -9,6 +9,7 @@ ms.author: lizlong
ms.topic: article ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Customize Windows 10 Start and taskbar with provisioning packages # Customize Windows 10 Start and taskbar with provisioning packages

1
windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
View File

@ -10,6 +10,7 @@ ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Find the Application User Model ID of an installed app # Find the Application User Model ID of an installed app

1
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -13,6 +13,7 @@ ms.reviewer: sybruckm
manager: aaroncz manager: aaroncz
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Guidelines for choosing an app for assigned access (kiosk mode) # Guidelines for choosing an app for assigned access (kiosk mode)

1
windows/configuration/kiosk-additional-reference.md
View File

@ -9,6 +9,7 @@ author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: reference ms.topic: reference
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# More kiosk methods and reference information # More kiosk methods and reference information

1
windows/configuration/kiosk-mdm-bridge.md
View File

@ -9,6 +9,7 @@ author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Use MDM Bridge WMI Provider to create a Windows client kiosk # Use MDM Bridge WMI Provider to create a Windows client kiosk

1
windows/configuration/kiosk-methods.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
author: lizgt2000 author: lizgt2000
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Configure kiosks and digital signs on Windows desktop editions # Configure kiosks and digital signs on Windows desktop editions

1
windows/configuration/kiosk-policies.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.author: lizlong ms.author: lizlong
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Policies enforced on kiosk devices # Policies enforced on kiosk devices

1
windows/configuration/kiosk-prepare.md
View File

@ -9,6 +9,7 @@ author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Prepare a device for kiosk configuration # Prepare a device for kiosk configuration

1
windows/configuration/kiosk-shelllauncher.md
View File

@ -9,6 +9,7 @@ author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Use Shell Launcher to create a Windows client kiosk # Use Shell Launcher to create a Windows client kiosk

1
windows/configuration/kiosk-single-app.md
View File

@ -10,6 +10,7 @@ ms.localizationpriority: medium
ms.topic: article ms.topic: article
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Set up a single-app kiosk on Windows 10/11 # Set up a single-app kiosk on Windows 10/11

1
windows/configuration/kiosk-validate.md
View File

@ -9,6 +9,7 @@ author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Validate kiosk configuration # Validate kiosk configuration

1
windows/configuration/kiosk-xml.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.author: lizlong ms.author: lizlong
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Assigned Access configuration (kiosk) XML reference # Assigned Access configuration (kiosk) XML reference

1
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -10,6 +10,7 @@ ms.reviewer: sybruckm
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: how-to ms.topic: how-to
ms.collection: highpri ms.collection: highpri
ms.date: 12/31/2017
--- ---
# Set up a multi-app kiosk on Windows 10 devices # Set up a multi-app kiosk on Windows 10 devices

1
windows/configuration/lockdown-features-windows-10.md
View File

@ -9,6 +9,7 @@ ms.author: lizlong
ms.topic: article ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Lockdown features from Windows Embedded 8.1 Industry # Lockdown features from Windows Embedded 8.1 Industry

1
windows/configuration/manage-wifi-sense-in-enterprise.md
View File

@ -9,6 +9,7 @@ author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Manage Wi-Fi Sense in your company # Manage Wi-Fi Sense in your company

1
windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
View File

@ -9,6 +9,7 @@ ms.author: lizlong
ms.topic: article ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Configuration service providers for IT pros # Configuration service providers for IT pros

1
windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
View File

@ -9,6 +9,7 @@ ms.author: lizlong
ms.topic: article ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Provision PCs with common settings for initial deployment (desktop wizard) # Provision PCs with common settings for initial deployment (desktop wizard)

1
windows/configuration/provisioning-packages/provision-pcs-with-apps.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.reviewer: gkomatsu ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Provision PCs with apps # Provision PCs with apps

1
windows/configuration/provisioning-packages/provisioning-apply-package.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.reviewer: gkomatsu ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Apply a provisioning package # Apply a provisioning package

1
windows/configuration/provisioning-packages/provisioning-command-line.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.reviewer: gkomatsu ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Windows Configuration Designer command-line interface (reference) # Windows Configuration Designer command-line interface (reference)

1
windows/configuration/provisioning-packages/provisioning-create-package.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.reviewer: gkomatsu ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Create a provisioning package # Create a provisioning package

1
windows/configuration/provisioning-packages/provisioning-how-it-works.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.reviewer: gkomatsu ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# How provisioning works in Windows # How provisioning works in Windows

1
windows/configuration/provisioning-packages/provisioning-install-icd.md
View File

@ -10,6 +10,7 @@ ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Install Windows Configuration Designer, and learn about any limitations # Install Windows Configuration Designer, and learn about any limitations

1
windows/configuration/provisioning-packages/provisioning-multivariant.md
View File

@ -9,6 +9,7 @@ ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.author: lizlong ms.author: lizlong
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Create a provisioning package with multivariant settings # Create a provisioning package with multivariant settings

1
windows/configuration/provisioning-packages/provisioning-packages.md
View File

@ -10,6 +10,7 @@ ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Provisioning packages for Windows # Provisioning packages for Windows

1
windows/configuration/provisioning-packages/provisioning-powershell.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.reviewer: gkomatsu ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# PowerShell cmdlets for provisioning Windows client (reference) # PowerShell cmdlets for provisioning Windows client (reference)

1
windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.reviewer: gkomatsu ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Use a script to install a desktop app in provisioning packages # Use a script to install a desktop app in provisioning packages

1
windows/configuration/provisioning-packages/provisioning-uninstall-package.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.reviewer: gkomatsu ms.reviewer: gkomatsu
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Settings changed when you uninstall a provisioning package # Settings changed when you uninstall a provisioning package

1
windows/configuration/start-secondary-tiles.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Add image for secondary Microsoft Edge tiles # Add image for secondary Microsoft Edge tiles

79
windows/configuration/stop-employees-from-using-microsoft-store.md
View File

@ -8,59 +8,58 @@ author: lizgt2000
ms.author: lizlong ms.author: lizlong
ms.topic: conceptual ms.topic: conceptual
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 4/16/2018 ms.date: 11/29/2022
ms.collection: highpri ms.collection: highpri
ms.technology: itpro-configure ms.technology: itpro-configure
--- ---
# Configure access to Microsoft Store # Configure access to Microsoft Store
**Applies to:**
**Applies to**
- Windows 10 - Windows 10
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). > [!TIP]
> For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store.
> [!Important] > [!IMPORTANT]
> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date. > All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date.
## Options to configure access to Microsoft Store ## Options to configure access to Microsoft Store
You can use these tools to configure access to Microsoft Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition. You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition.
## <a href="" id="block-store-applocker"></a>Block Microsoft Store using AppLocker ## Block Microsoft Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Education
Applies to: Windows 10 Enterprise, Windows 10 Education
AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers. AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers.
For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps). For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps).
**To block Microsoft Store using AppLocker** **To block Microsoft Store using AppLocker:**
1. Type secpol in the search bar to find and start AppLocker. 1. Enter **`secpol`** in the search bar to find and start AppLocker.
2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**. 2. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**.
3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**. 3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
4. On **Before You Begin**, click **Next**. 4. On **Before You Begin**, select **Next**.
5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. 5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**. 6. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**.
7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**. 7. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**.
[Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules. [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules.
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. 8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
## <a href="" id="block-store-csp"></a>Block Microsoft Store using configuration service provider ## Block Microsoft Store using configuration service provider
Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education
@ -73,53 +72,51 @@ For more information, see [Configure an MDM provider](/microsoft-store/configure
For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements). For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
> [!IMPORTANT]
> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store.
## <a href="" id="block-store-group-policy"></a>Block Microsoft Store using Group Policy ## Block Microsoft Store using Group Policy
Applies to: Windows 10 Enterprise, Windows 10 Education
Applies to: Windows 10 Enterprise, Windows 10 Education > [!NOTE]
> [!Note]
> Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). > Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
You can also use Group Policy to manage access to Microsoft Store. You can also use Group Policy to manage access to Microsoft Store.
**To block Microsoft Store using Group Policy** **To block Microsoft Store using Group Policy:**
1. Type gpedit in the search bar to find and start Group Policy Editor. 1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor.
2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, and then click **Store**. 2. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**.
3. In the Setting pane, click **Turn off the Store application**, and then click **Edit policy setting**. 3. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**.
4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**. 4. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**.
> [!Important] > [!IMPORTANT]
> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This configuration allows in-box store apps to update while still blocking access to the store. > When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store.
## Show private store only using Group Policy ## Show private store only using Group Policy
Applies to Windows 10 Enterprise, Windows 10 Education Applies to Windows 10 Enterprise, Windows 10 Education
If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**To show private store only in Microsoft Store app** **To show private store only in Microsoft Store app:**
1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. 1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**. 2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**.
3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and click **Edit**. 3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**.
This opens the **Only display the private store within the Microsoft Store app** policy settings. The **Only display the private store within the Microsoft Store app** policy settings will open.
4. On the **Only display the private store within the Microsoft Store app** setting page, click **Enabled**, and then click **OK**. 4. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**.
## Related topics ## Related articles
[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store) [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store)
[Manage access to private store](/microsoft-store/manage-access-to-private-store) [Manage access to private store](/microsoft-store/manage-access-to-private-store)
 

2
windows/configuration/supported-csp-start-menu-layout-windows.md
View File

@ -8,6 +8,8 @@ ms.prod: windows-client
author: lizgt2000 author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
--- ---
# Supported configuration service provider (CSP) policies for Windows 11 Start menu # Supported configuration service provider (CSP) policies for Windows 11 Start menu

2
windows/configuration/supported-csp-taskbar-windows.md
View File

@ -8,6 +8,8 @@ ms.prod: windows-client
author: lizgt2000 author: lizgt2000
ms.localizationpriority: medium ms.localizationpriority: medium
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
--- ---
# Supported configuration service provider (CSP) policies for Windows 11 taskbar # Supported configuration service provider (CSP) policies for Windows 11 taskbar

1
windows/configuration/wcd/wcd-cellular.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.author: aaroncz ms.author: aaroncz
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Cellular (Windows Configuration Designer reference) # Cellular (Windows Configuration Designer reference)

1
windows/configuration/wcd/wcd-changes.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.author: aaroncz ms.author: aaroncz
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Changes to settings in Windows Configuration Designer # Changes to settings in Windows Configuration Designer

1
windows/configuration/wcd/wcd-deviceupdatecenter.md
View File

@ -8,6 +8,7 @@ ms.author: aaroncz
manager: dougeby manager: dougeby
ms.topic: article ms.topic: article
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# DeviceUpdateCenter (Windows Configuration Designer reference) # DeviceUpdateCenter (Windows Configuration Designer reference)

1
windows/configuration/wcd/wcd-location.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.reviewer: ms.reviewer:
manager: dougeby manager: dougeby
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Location (Windows Configuration Designer reference) # Location (Windows Configuration Designer reference)

1
windows/configuration/wcd/wcd-maps.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.reviewer: ms.reviewer:
manager: dougeby manager: dougeby
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# Maps (Windows Configuration Designer reference) # Maps (Windows Configuration Designer reference)

1
windows/configuration/wcd/wcd-networkproxy.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.reviewer: ms.reviewer:
manager: dougeby manager: dougeby
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# NetworkProxy (Windows Configuration Designer reference) # NetworkProxy (Windows Configuration Designer reference)

1
windows/configuration/wcd/wcd-networkqospolicy.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.reviewer: ms.reviewer:
manager: dougeby manager: dougeby
ms.technology: itpro-configure ms.technology: itpro-configure
ms.date: 12/31/2017
--- ---
# NetworkQoSPolicy (Windows Configuration Designer reference) # NetworkQoSPolicy (Windows Configuration Designer reference)

Some files were not shown because too many files have changed in this diff Show More