From 884c18f28424cb0b5099c8ce42a1c287fdfdf3f4 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Tue, 9 May 2023 16:05:12 -0400
Subject: [PATCH] CSP changes to improve acro-scores
---
.../client-management/mdm/bitlocker-csp.md | 323 ++++++++----------
.../mdm/includes/mdm-admx-csp-note.md | 12 +
.../mdm/includes/mdm-admx-policy-note.md | 10 +
.../mdm/includes/mdm-insider-csp-note.md | 10 +
.../policy-configuration-service-provider.md | 53 ++-
5 files changed, 209 insertions(+), 199 deletions(-)
create mode 100644 windows/client-management/mdm/includes/mdm-admx-csp-note.md
create mode 100644 windows/client-management/mdm/includes/mdm-admx-policy-note.md
create mode 100644 windows/client-management/mdm/includes/mdm-insider-csp-note.md
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 16889b4db0..95f1a20a80 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/01/2023
+ms.date: 05/09/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,13 +16,9 @@ ms.topic: reference
# BitLocker CSP
-> [!TIP]
-> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
-> [!IMPORTANT]
-> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
@@ -80,7 +76,7 @@ The following list shows the BitLocker configuration service provider nodes:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
@@ -91,18 +87,17 @@ The following list shows the BitLocker configuration service provider nodes:
-Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user.
+Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged-on user is non-admin/standard user.
+
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced.
-If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user
-is the current logged on user in the system.
+
+If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged-on user in the system.
The expected values for this policy are:
1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
-0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy
-will not try to enable encryption on any drive.
-
+0 = This is the default, when the policy isn't set. If current logged-on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive.
@@ -114,7 +109,7 @@ will not try to enable encryption on any drive.
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
| Dependency [AllowWarningForOtherDiskEncryptionDependency] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
@@ -125,7 +120,7 @@ will not try to enable encryption on any drive.
| Value | Description |
|:--|:--|
-| 0 (Default) | This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. |
+| 0 (Default) | This is the default, when the policy isn't set. If current logged-on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive. |
| 1 | "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. |
@@ -159,7 +154,7 @@ To disable this policy, use the following SyncML:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview |
@@ -178,7 +173,8 @@ This policy setting allows suspending protection for BitLocker Drive Encryption
The expected values for this policy are:
0 = Prevent BitLocker Drive Encryption protection from being suspended.
-1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
+
+1 = This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection.
@@ -190,7 +186,7 @@ The expected values for this policy are:
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
@@ -201,7 +197,7 @@ The expected values for this policy are:
| Value | Description |
|:--|:--|
| 0 | Prevent BitLocker Drive Encryption protection from being suspended. |
-| 1 (Default) | This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. |
+| 1 (Default) | This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection. |
@@ -216,7 +212,7 @@ The expected values for this policy are:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -231,20 +227,18 @@ Allows Admin to disable all UI (notification for encryption and warning prompt f
and turn on encryption on the user machines silently.
> [!WARNING]
-> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will
-require reinstallation of Windows.
+> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
> [!NOTE]
> This policy takes effect only if "RequireDeviceEncryption" policy is set to 1.
The expected values for this policy are:
-1 = This is the default, when the policy is not set. **Warning** prompt and encryption notification is allowed.
-0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
-the value 0 only takes affect on Azure Active Directory joined devices.
+1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed.
+
+0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Azure Active Directory joined devices.
+
Windows will attempt to silently enable BitLocker for value 0.
-
-
@@ -266,7 +260,7 @@ Windows will attempt to silently enable BitLocker for value 0.
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
@@ -307,7 +301,7 @@ Windows will attempt to silently enable BitLocker for value 0.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1909 [10.0.18363] and later |
@@ -319,16 +313,16 @@ Windows will attempt to silently enable BitLocker for value 0.
Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
-When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when
-Active Directory back up for recovery password is configured to required.
-For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
-For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
+
+When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
+
+For OS drive: Turn on "don't enable Bitlocker until recovery information is stored to AD DS for operating system drives"
+For Fixed drives: Turn on "don't enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
+
1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
-
-
@@ -340,7 +334,7 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
@@ -367,7 +361,7 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -380,11 +374,11 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
-- If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+- If you enable this policy setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.
-- If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
+- If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
> [!NOTE]
> This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
@@ -423,13 +417,12 @@ Sample value for this node to enable this policy and set the encryption methods
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -474,7 +467,7 @@ To disable this policy, use the following SyncML:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -487,9 +480,9 @@ To disable this policy, use the following SyncML:
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
-- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option won't be presented in the BitLocker setup wizard.
-- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+- If you disable or don't configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
@@ -517,13 +510,12 @@ Possible values:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -550,7 +542,7 @@ Possible values:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -567,18 +559,18 @@ The "Allow data recovery agent" check box is used to specify whether a data reco
In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.
-Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Select the "don't enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
> [!NOTE]
-> If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.
+> If the "don't enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.
- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
-- If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+- If this policy setting isn't configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
@@ -627,13 +619,12 @@ The possible values for 'zz' are:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -678,7 +669,7 @@ To disable this policy, use the following SyncML:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -691,9 +682,9 @@ To disable this policy, use the following SyncML:
This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
-- If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+- If you enable this policy setting, all fixed data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-- If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
+- If you disable or don't configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
@@ -706,13 +697,12 @@ Sample value for this node to enable this policy is: ``
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -757,7 +747,7 @@ To disable this policy, use hte following SyncML:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -768,9 +758,9 @@ To disable this policy, use hte following SyncML:
-This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field.
+This policy setting allows you to associate unique organizational identifiers to a new drive that's enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field.
-The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.
+The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It's a comma separated list of identification fields from your organization or other external organizations.
You can configure the identification fields on existing drives by using [manage-bde](/windows-server/administration/windows-commands/manage-bde).exe.
@@ -778,7 +768,7 @@ You can configure the identification fields on existing drives by using [manage-
When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.
-- If you disable or do not configure this policy setting, the identification field is not required.
+- If you disable or don't configure this policy setting, the identification field isn't required.
> [!NOTE]
> Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
@@ -805,13 +795,12 @@ Sample value for this node to enable this policy is:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -838,7 +827,7 @@ Sample value for this node to enable this policy is:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -853,9 +842,9 @@ This policy setting controls the use of BitLocker on removable data drives. This
When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or suspend the encryption while maintenance is performed. For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment).
-- If you do not configure this policy setting, users can use BitLocker on removable disk drives.
+- If you don't configure this policy setting, users can use BitLocker on removable disk drives.
-- If you disable this policy setting, users cannot use BitLocker on removable disk drives.
+- If you disable this policy setting, users can't use BitLocker on removable disk drives.
@@ -879,13 +868,12 @@ Sample value for this node to enable this policy is:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -912,7 +900,7 @@ Sample value for this node to enable this policy is:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -925,9 +913,9 @@ Sample value for this node to enable this policy is:
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
-- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option won't be presented in the BitLocker setup wizard.
-- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+- If you disable or don't configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
@@ -950,14 +938,13 @@ Possible values:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [BDEAllowed] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE`
Dependency Allowed Value Type: `ADMX`
|
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -984,7 +971,7 @@ Possible values:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -995,7 +982,7 @@ Possible values:
-When enabled, allows you to exclude removable drives and devices connected over USB interface from [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption). Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004.
+When enabled, allows you to exclude removable drives and devices connected over USB interface from [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption). Excluded devices can't be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user won't be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004.
@@ -1007,7 +994,7 @@ When enabled, allows you to exclude removable drives and devices connected over
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
@@ -1024,7 +1011,7 @@ When enabled, allows you to exclude removable drives and devices connected over
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -1037,11 +1024,11 @@ When enabled, allows you to exclude removable drives and devices connected over
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
-- If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+- If you enable this policy setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.
-- If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
+- If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
> [!NOTE]
> This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
@@ -1070,13 +1057,12 @@ The possible values for 'xx' are:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -1121,7 +1107,7 @@ To disable this policy, use the following SyncML:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -1137,8 +1123,7 @@ Allows the Admin to require encryption to be turned on using BitLocker\Device En
Sample value for this node to enable this policy:
1
-Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
-
+Disabling the policy won't turn off the encryption on the system drive. But will stop prompting the user to turn it on.
@@ -1163,7 +1148,7 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
@@ -1173,7 +1158,7 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
| Value | Description |
|:--|:--|
-| 0 (Default) | Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. |
+| 0 (Default) | Disable. If the policy setting isn't set or is set to 0, the device's enforcement status isn't checked. The policy doesn't enforce encryption and it doesn't decrypt encrypted volumes. |
| 1 | Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy). |
@@ -1214,7 +1199,7 @@ To disable RequireDeviceEncryption:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -1228,11 +1213,11 @@ To disable RequireDeviceEncryption:
Allows the Admin to require storage card encryption on the device.
This policy is only valid for mobile SKU.
+
Sample value for this node to enable this policy:
1
-Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on.
-
+Disabling the policy won't turn off the encryption on the storage card. But will stop prompting the user to turn it on.
@@ -1244,7 +1229,7 @@ Disabling the policy will not turn off the encryption on the storage card. But w
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
@@ -1254,7 +1239,7 @@ Disabling the policy will not turn off the encryption on the storage card. But w
| Value | Description |
|:--|:--|
-| 0 (Default) | Storage cards do not need to be encrypted. |
+| 0 (Default) | Storage cards don't need to be encrypted. |
| 1 | Require storage cards to be encrypted. |
@@ -1270,7 +1255,7 @@ Disabling the policy will not turn off the encryption on the storage card. But w
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1909 [10.0.18363] and later |
@@ -1282,19 +1267,19 @@ Disabling the policy will not turn off the encryption on the storage card. But w
Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+
This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."
-- For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives."
-- For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives."
+- For OS drives, enable "don't enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives."
+- For fixed drives, enable "don't enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives."
Client returns status DM_S_ACCEPTED_FOR_PROCESSING to indicate the rotation has started. Server can query status with the following status nodes:
- status\RotateRecoveryPasswordsStatus
- status\RotateRecoveryPasswordsRequestID
-Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\
-
+Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.
@@ -1324,7 +1309,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Exec |
@@ -1340,7 +1325,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1903 [10.0.18362] and later |
@@ -1362,7 +1347,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI
| Property name | Property value |
|:--|:--|
-| Format | node |
+| Format | `node` |
| Access Type | Get |
@@ -1378,7 +1363,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1903 [10.0.18362] and later |
@@ -1390,6 +1375,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI
This node reports compliance state of device encryption on the system.
+
Value '0' means the device is compliant. Any other value represents a non-compliant device.
@@ -1423,7 +1409,7 @@ This value represents a bitmask with each bit and the corresponding error code d
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Get |
@@ -1439,7 +1425,7 @@ This value represents a bitmask with each bit and the corresponding error code d
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1462,7 +1448,7 @@ This node reports compliance state of removal drive encryption. "0" Value means
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Get |
@@ -1478,7 +1464,7 @@ This node reports compliance state of removal drive encryption. "0" Value means
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1909 [10.0.18363] and later |
@@ -1490,8 +1476,8 @@ This node reports compliance state of removal drive encryption. "0" Value means
This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
-This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
-To ensure the status is correctly matched to the request ID.
+
+This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus To ensure the status is correctly matched to the request ID.
@@ -1503,7 +1489,7 @@ To ensure the status is correctly matched to the request ID.
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Get |
@@ -1519,7 +1505,7 @@ To ensure the status is correctly matched to the request ID.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1909 [10.0.18363] and later |
@@ -1531,6 +1517,7 @@ To ensure the status is correctly matched to the request ID.
This Node reports the status of RotateRecoveryPasswords request.
+
Status code can be one of the following:
NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure.
@@ -1544,7 +1531,7 @@ NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure.
| Property name | Property value |
|:--|:--|
-| Format | int |
+| Format | `int` |
| Access Type | Get |
@@ -1560,7 +1547,7 @@ NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1571,13 +1558,13 @@ NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure.
-This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.
+This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they're able to provide the existing PIN first.
This policy setting is applied when you turn on BitLocker.
-- If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
+- If you enable this policy setting, standard users won't be allowed to change BitLocker PINs or passwords.
-- If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
+- If you disable or don't configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
@@ -1593,13 +1580,12 @@ Sample value for this node to disable this policy is: ``
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -1626,7 +1612,7 @@ Sample value for this node to disable this policy is: ``
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1643,9 +1629,10 @@ The Windows touch keyboard (such as that used by tablets) isn't available in the
- If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard).
-- If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
+- If this policy isn't enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
+
+Note that if you don't enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include:
-**Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include:
- Configure TPM startup PIN: Required/Allowed
- Configure TPM startup key and PIN: Required/Allowed
- Configure use of passwords for operating system drives.
@@ -1661,13 +1648,12 @@ Sample value for this node to enable this policy is: ``
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -1694,7 +1680,7 @@ Sample value for this node to enable this policy is: ``
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1709,7 +1695,7 @@ This policy setting allows users on devices that are compliant with InstantGo or
- If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
-- If this policy is not enabled, the options of "Require additional authentication at startup" policy apply.
+- If this policy isn't enabled, the options of "Require additional authentication at startup" policy apply.
@@ -1722,13 +1708,12 @@ Sample value for this node to enable this policy is: ``
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -1755,7 +1740,7 @@ Sample value for this node to enable this policy is: ``
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1768,9 +1753,9 @@ Sample value for this node to enable this policy is: ``
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
-- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
+- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option won't be presented in the BitLocker setup wizard.
-- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
+- If you disable or don't configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
@@ -1799,13 +1784,12 @@ Possible values:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -1832,7 +1816,7 @@ Possible values:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1850,9 +1834,9 @@ Enhanced startup PINs permit the use of characters including uppercase and lower
- If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.
> [!NOTE]
-> Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.
+> Not all computers may support enhanced PINs in the pre-boot environment. It's strongly recommended that users perform a system check during BitLocker setup.
-- If you disable or do not configure this policy setting, enhanced PINs will not be used.
+- If you disable or don't configure this policy setting, enhanced PINs won't be used.
@@ -1865,13 +1849,12 @@ Sample value for this node to enable this policy is: ``
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -1898,7 +1881,7 @@ Sample value for this node to enable this policy is: ``
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -1913,7 +1896,7 @@ This policy setting allows you to configure a minimum length for a Trusted Platf
- If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
-- If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
+- If you disable or don't configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
> [!NOTE]
> If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
@@ -1936,13 +1919,12 @@ Sample value for this node to enable this policy is:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -1986,7 +1968,7 @@ To disable this policy, use the following SyncML:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -2006,7 +1988,7 @@ If you select the "Use custom recovery message" option, the message you type in
If you select the "Use custom recovery URL" option, the URL you type in the "Custom recovery URL option" text box will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
> [!NOTE]
-> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
+> Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
@@ -2046,13 +2028,12 @@ The possible value for 'yy' and 'zz' is a string of max length 900 and 500 respe
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -2096,7 +2077,7 @@ To disable this policy, use the following SyncML:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -2113,18 +2094,18 @@ The "Allow certificate-based data recovery agent" check box is used to specify w
In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.
-Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Select the "don't enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
> [!NOTE]
-> If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated.
+> If the "don't enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated.
- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
-- If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+- If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
@@ -2172,13 +2153,12 @@ The possible values for 'zz' are:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
@@ -2223,7 +2203,7 @@ To disable this policy, use the following SyncML:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
@@ -2245,7 +2225,7 @@ On a computer with a compatible TPM, four types of authentication methods can be
- If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
-- If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.
+- If you disable or don't configure this policy setting, users can configure only basic options on computers with a TPM.
> [!NOTE]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool [manage-bde](/windows-server/administration/windows-commands/manage-bde) instead of the BitLocker Drive Encryption setup wizard.
@@ -2293,13 +2273,12 @@ The possible values for 'yy' are:
| Property name | Property value |
|:--|:--|
-| Format | chr (string) |
+| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+[!INCLUDE [ADMX Backed Policy Tip](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
diff --git a/windows/client-management/mdm/includes/mdm-admx-csp-note.md b/windows/client-management/mdm/includes/mdm-admx-csp-note.md
new file mode 100644
index 0000000000..68b132c9a5
--- /dev/null
+++ b/windows/client-management/mdm/includes/mdm-admx-csp-note.md
@@ -0,0 +1,12 @@
+---
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.prod: windows
+ms.topic: include
+ms.date: 05/09/2023
+---
+
+> [!TIP]
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as `chr`. For details, see [Understanding ADMX-backed policies](../../understanding-admx-backed-policies.md).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
diff --git a/windows/client-management/mdm/includes/mdm-admx-policy-note.md b/windows/client-management/mdm/includes/mdm-admx-policy-note.md
new file mode 100644
index 0000000000..24b506bf4b
--- /dev/null
+++ b/windows/client-management/mdm/includes/mdm-admx-policy-note.md
@@ -0,0 +1,10 @@
+---
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.prod: windows
+ms.topic: include
+ms.date: 05/09/2023
+---
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](../../understanding-admx-backed-policies.md#enabling-a-policy).
diff --git a/windows/client-management/mdm/includes/mdm-insider-csp-note.md b/windows/client-management/mdm/includes/mdm-insider-csp-note.md
new file mode 100644
index 0000000000..5c8c70b1fe
--- /dev/null
+++ b/windows/client-management/mdm/includes/mdm-insider-csp-note.md
@@ -0,0 +1,10 @@
+---
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.prod: windows
+ms.topic: include
+ms.date: 05/09/2023
+---
+
+> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 1fc1424bc4..dfec87bce1 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 05/01/2023
+ms.date: 05/09/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -25,8 +25,6 @@ The Policy configuration service provider has the following sub-categories:
- Policy/Config/**AreaName** - Handles the policy configuration request from the server.
- Policy/Result/**AreaName** - Provides a read-only path to policies enforced on the device.
-
-
> [!IMPORTANT]
> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user.
>
@@ -82,7 +80,7 @@ The following list shows the Policy configuration service provider nodes:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
✅ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -121,7 +119,7 @@ Node for grouping all policies configured by one source. The configuration sourc
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
✅ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -132,7 +130,7 @@ Node for grouping all policies configured by one source. The configuration sourc
-The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
+The area group that can be configured by a single technology for a single provider. Once added, you can't change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
@@ -161,7 +159,7 @@ The area group that can be configured by a single technology for a single provid
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
✅ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -209,7 +207,7 @@ The following list shows some tips to help you when configuring policies:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -248,7 +246,7 @@ The root node for grouping different configuration operations.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
@@ -259,7 +257,7 @@ The root node for grouping different configuration operations.
-Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that's added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
@@ -291,7 +289,7 @@ Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
@@ -331,7 +329,7 @@ Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX f
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
@@ -371,7 +369,7 @@ Setting Type of Win32 App. Policy Or Preference.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
@@ -411,7 +409,7 @@ Unique ID of ADMX file.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299.1481] and later
✅ Windows 10, version 1803 [10.0.17134.1099] and later
✅ Windows 10, version 1809 [10.0.17763.832] and later
✅ Windows 10, version 1903 [10.0.18362.387] and later
✅ Windows 10, version 1909 [10.0.18363] and later |
@@ -450,7 +448,7 @@ Properties of Win32 App ADMX Ingestion.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299.1481] and later
✅ Windows 10, version 1803 [10.0.17134.1099] and later
✅ Windows 10, version 1809 [10.0.17763.832] and later
✅ Windows 10, version 1903 [10.0.18362.387] and later
✅ Windows 10, version 1909 [10.0.18363] and later |
@@ -490,7 +488,7 @@ Setting Type of Win32 App. Policy Or Preference.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299.1481] and later
✅ Windows 10, version 1803 [10.0.17134.1099] and later
✅ Windows 10, version 1809 [10.0.17763.832] and later
✅ Windows 10, version 1903 [10.0.18362.387] and later
✅ Windows 10, version 1909 [10.0.18363] and later |
@@ -530,7 +528,7 @@ Unique ID of ADMX file.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+| ✅ Device
❌ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299.1481] and later
✅ Windows 10, version 1803 [10.0.17134.1099] and later
✅ Windows 10, version 1809 [10.0.17763.832] and later
✅ Windows 10, version 1903 [10.0.18362.387] and later
✅ Windows 10, version 1909 [10.0.18363] and later |
@@ -569,7 +567,7 @@ Version of ADMX file. This can be set by the server to keep a record of the vers
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
✅ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -608,7 +606,7 @@ Groups the evaluated policies from all providers that can be configured.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
✅ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -648,7 +646,7 @@ The area group that can be configured by a single technology independent of the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+| ✅ Device
✅ User | ❌ Home
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
@@ -688,7 +686,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | |
+| ✅ Device
✅ User | ❌ Home
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | |
@@ -727,7 +725,7 @@ Node for grouping all policies configured by one source. The configuration sourc
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | |
+| ✅ Device
✅ User | ❌ Home
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | |
@@ -738,7 +736,7 @@ Node for grouping all policies configured by one source. The configuration sourc
-The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
+The area group that can be configured by a single technology for a single provider. Once added, you can't change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
@@ -775,7 +773,7 @@ The following list shows some tips to help you when configuring policies:
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | |
+| ✅ Device
✅ User | ❌ Home
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | |
@@ -815,7 +813,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | |
+| ✅ Device
✅ User | ❌ Home
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | |
@@ -854,7 +852,7 @@ Groups the evaluated policies from all providers that can be configured.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | |
+| ✅ Device
✅ User | ❌ Home
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | |
@@ -894,7 +892,7 @@ The area group that can be configured by a single technology independent of the
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | |
+| ✅ Device
✅ User | ❌ Home
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE | |
@@ -1120,6 +1118,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [ExploitGuard](policy-csp-exploitguard.md)
- [FederatedAuthentication](policy-csp-federatedauthentication.md)
- [FileExplorer](policy-csp-fileexplorer.md)
+- [FileSystem](policy-csp-filesystem.md)
- [Games](policy-csp-games.md)
- [Handwriting](policy-csp-handwriting.md)
- [HumanPresence](policy-csp-humanpresence.md)