diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md
index 1f3ec6eaa1..d8b4a5ca6e 100644
--- a/windows/client-management/mdm/devicepreparation-csp.md
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -430,7 +430,7 @@ This node provides status of the Device Preparation page. Values are an enum: 0
| Property name | Property value |
|:--|:--|
| Format | `int` |
-| Access Type | Get |
+| Access Type | Get, Replace |
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index 3174ac4dab..4f948ac7b5 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -88,6 +88,7 @@ The following XML file contains the device description framework (DDF) for the D
+
This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 3f61327719..6bfcf539e2 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -3472,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -3547,7 +3547,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-65535]` |
+| Allowed Values | Range: `[0-255]` |
@@ -3812,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -3961,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -3999,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4049,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4099,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4149,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4296,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4334,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4384,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4434,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4484,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4533,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4571,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4621,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4671,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
@@ -4721,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later
✅ Windows Insider Preview [10.0.25398] |
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 8a398f09ae..1d38c29221 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -3030,7 +3030,7 @@ The following XML file contains the device description framework (DDF) for the F
- 10.0.25398
+ 10.0.25398, 10.0.22621.2352
1.0
@@ -3064,7 +3064,7 @@ The following XML file contains the device description framework (DDF) for the F
- 10.0.25398
+ 10.0.25398, 10.0.22621.2352
1.0
@@ -3257,7 +3257,7 @@ The following XML file contains the device description framework (DDF) for the F
- 10.0.25398
+ 10.0.25398, 10.0.22621.2352
1.0
@@ -3450,7 +3450,7 @@ The following XML file contains the device description framework (DDF) for the F
- 10.0.25398
+ 10.0.25398, 10.0.22621.2352
1.0
@@ -4597,7 +4597,7 @@ If not specified the detault is OUT.
- [0-65535]
+ [0-255]
@@ -4833,7 +4833,7 @@ If not specified - a new rule is disabled by default.
- 10.0.25398
+ 10.0.25398, 10.0.22621.2352
1.0
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index d5c2ebe843..8b5404c152 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -32,6 +32,7 @@ The following list shows the PassportForWork configuration service provider node
- ./Device/Vendor/MSFT/PassportForWork
- [{TenantId}](#devicetenantid)
- [Policies](#devicetenantidpolicies)
+ - [DisablePostLogonCredentialCaching](#devicetenantidpoliciesdisablepostlogoncredentialcaching)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
- [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@@ -164,6 +165,55 @@ Root node for policies.
+
+#### Device/{TenantId}/Policies/DisablePostLogonCredentialCaching
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonCredentialCaching
+```
+
+
+
+
+Disable caching of the Windows Hello for Business credential after sign-in.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | False |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+
+
+
+
+
+
+
+
#### Device/{TenantId}/Policies/DisablePostLogonProvisioning
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 8a2ac551bc..6cfc4fabfc 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -892,6 +892,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
+
+ DisablePostLogonCredentialCaching
+
+
+
+
+
+
+
+ False
+ Disable caching of the Windows Hello for Business credential after sign-in.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.6
+
+
+
+ false
+ Disabled
+
+
+ true
+ Enabled
+
+
+
+
UseCertificateForOnPremAuth
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index d949612f72..bc9ea26ab4 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2144,6 +2144,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [EnableAdditionalSources](policy-csp-desktopappinstaller.md)
- [EnableAllowedSources](policy-csp-desktopappinstaller.md)
- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
+- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
## DeviceInstallation
@@ -2416,7 +2417,10 @@ This article lists the ADMX-backed policies in Policy CSP.
- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [IntranetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
+- [LocalMachineZoneLogonOptions](policy-csp-internetexplorer.md)
- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index abaed7483e..a1d5758c14 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/25/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -383,10 +383,18 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md)
- [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md)
- [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_MachineAccountThreshold](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
@@ -394,11 +402,13 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
- [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md)
- [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md)
- [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
- [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md)
- [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md)
- [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md)
@@ -412,8 +422,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
- [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
- [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md)
+- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md)
- [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md)
- [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md)
+- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md)
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 0d8d931bf2..88fd182beb 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
-This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index 0e8a4f4777..700a225113 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -723,6 +725,56 @@ The settings are stored inside of a .json file on the user’s system. It may be
+
+## EnableWindowsPackageManagerCommandLineInterfaces
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerCommandLineInterfaces
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableWindowsPackageManagerCommandLineInterfaces |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
## SourceAutoUpdateInterval
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index c0b5145841..d707b4af93 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -7727,6 +7729,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
+
+## IntranetZoneLogonOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+
+
+
+
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_3 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## IntranetZoneNavigateWindowsAndFrames
@@ -8730,6 +8804,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
+
+## LocalMachineZoneLogonOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+
+
+
+
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_9 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## LocalMachineZoneNavigateWindowsAndFrames
@@ -17229,6 +17375,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
+
+## TrustedSitesZoneLogonOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+
+
+
+
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_5 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
+| ADMX File Name | inetres.admx |
+
+
+
+
+
+
+
+
## TrustedSitesZoneNavigateWindowsAndFrames
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 9e5011246e..f3317c93af 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -367,6 +367,134 @@ Accounts: Rename guest account This security setting determines whether a differ
+
+## Audit_AuditTheUseOfBackupAndRestoreprivilege
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_AuditTheUseOfBackupAndRestoreprivilege
+```
+
+
+
+
+Audit: Audit the use of Backup and Restore privilege This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that's backed up or restored. If you disable this policy, then use of the Backup or Restore privilege isn't audited even when Audit privilege use is enabled.
+
+> [!NOTE]
+> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation. Default: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `b64` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: ``) |
+
+
+
+
+
+
+
+
+
+## Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings
+```
+
+
+
+
+Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they're joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. If the category level audit policy set here isn't consistent with the events that are currently being generated, the cause might be that this registry key is set. Default: Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
+
+## Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits
+```
+
+
+
+
+Audit: Shut down system immediately if unable to log security audits This security setting determines whether the system shuts down if it's unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit can't be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that's specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry can't be overwritten, and this security option is enabled, the following Stop error appears: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log isn't full.
+
+> [!NOTE]
+> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
## Devices_AllowedToFormatAndEjectRemovableMedia
@@ -588,6 +716,381 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
+
+## Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly
+```
+
+
+
+
+Devices: Restrict floppy access to locally logged-on user only This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. If this policy is enabled and no one is logged-on interactively, the floppy can be accessed over the network. Default: This policy isn't defined and floppy disk drive access isn't restricted to the locally logged-on user.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Devices: Restrict floppy access to locally logged-on user only |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+```
+
+
+
+
+Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel won't be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Default: Enabled.
+
+> [!NOTE]
+> If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally encrypt or sign secure channel data (always) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+```
+
+
+
+
+Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member won't attempt to negotiate secure channel encryption. Default: Enabled.
+
+> [!IMPORTANT]
+> There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+> [!NOTE]
+> Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally encrypt secure channel data (when possible) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
+```
+
+
+
+
+Domain member: Digitally sign secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit. Default: Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally sign secure channel data (when possible) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_DisableMachineAccountPasswordChanges
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
+```
+
+
+
+
+Domain member: Disable machine account password changes Determines whether a domain member periodically changes its computer account password.
+
+- If this setting is enabled, the domain member doesn't attempt to change its computer account password.
+
+- If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. Default: Disabled.
+
+> [!NOTE]
+> This security setting shouldn't be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it's established, the secure channel is used to transmit sensitive information that's necessary for making authentication and authorization decisions. This setting shouldn't be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Disable machine account password changes |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_MaximumMachineAccountPasswordAge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
+```
+
+
+
+
+Domain member: Maximum machine account password age This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days.
+
+> [!IMPORTANT]
+> This setting applies to Windows 2000 computers, but it isn't available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 30 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Maximum machine account password age |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## DomainMember_RequireStrongSessionKey
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
+```
+
+
+
+
+Domain member: Require strong (Windows 2000 or later) session key This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on. Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters: Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Some or all of the information that's transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that's encrypted.
+
+- If this setting is enabled, then the secure channel won't be established unless 128-bit encryption can be performed.
+
+- If this setting is disabled, then the key strength is negotiated with the domain controller. Default: Enabled.
+
+> [!IMPORTANT]
+> In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Require strong (Windows 2000 or later) session key |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
## InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -822,6 +1325,56 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
+
+## InteractiveLogon_MachineAccountThreshold
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountThreshold
+```
+
+
+
+
+Interactive logon: Machine account threshold. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Interactive logon: Machine account lockout threshold |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
## InteractiveLogon_MachineInactivityLimit
@@ -972,6 +1525,87 @@ Interactive logon: Message title for users attempting to log on This security se
+
+## InteractiveLogon_NumberOfPreviousLogonsToCache
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_NumberOfPreviousLogonsToCache
+```
+
+
+
+
+Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 10 |
+
+
+
+
+
+
+
+
+
+## InteractiveLogon_PromptUserToChangePasswordBeforeExpiration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_PromptUserToChangePasswordBeforeExpiration
+```
+
+
+
+
+Interactive logon: Prompt user to change password before expiration Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that's sufficiently strong. Default: 5 days.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 5 |
+
+
+
+
+
+
+
+
## InteractiveLogon_SmartCardRemovalBehavior
@@ -1226,6 +1860,56 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
+
+## MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+```
+
+
+
+
+Microsoft network server: Amount of idle time required before suspending a session This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-15]` |
+| Default Value | 15 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Microsoft network server: Amount of idle time required before suspending session |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
## MicrosoftNetworkServer_DigitallySignCommunicationsAlways
@@ -1359,6 +2043,88 @@ Microsoft network server: Digitally sign communications (if client agrees) This
+
+## MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire
+```
+
+
+
+
+Microsoft network server: Disconnect clients when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default on Windows Vista and above: Enabled. Default on Windows XP: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
+
+## MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel
+```
+
+
+
+
+Microsoft network server: Server SPN target name validation level This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that's provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. This security setting determines the level of validation a SMB server performs on the service principal name (SPN) provided by the SMB client when trying to establish a session to an SMB server. The options are: Off - the SPN isn't required or validated by the SMB server from a SMB client. Accept if provided by client - the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server's list of SPN's for itself. If the SPN does NOT match, the session request for that SMB client will be denied. Required from client - the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that's being requested to establish a connection. If no SPN is provided by client, or the SPN provided doesn't match, the session is denied. Default: Off All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. Additional information on implementing and using this to secure your SMB servers can be found at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=144505).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
## NetworkAccess_AllowAnonymousSIDOrNameTranslation
@@ -1540,6 +2306,227 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
+
+## NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication
+```
+
+
+
+
+Network access: Don't allow storage of passwords and credentials for network authentication This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.
+
+- If you enable this setting, Credential Manager doesn't store passwords and credentials on the computer.
+
+- If you disable or don't configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication.
+
+> [!NOTE]
+> When configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+```
+
+
+
+
+Network access: Let Everyone permissions apply to anonymous users This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group don't apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission. If this policy is enabled, the Everyone SID is added to the token that's created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions. Default: Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Network access: Let Everyone permissions apply to anonymous users |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_NamedPipesThatCanBeAccessedAnonymously
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_NamedPipesThatCanBeAccessedAnonymously
+```
+
+
+
+
+Network access: Named pipes that can be accessed anonymously This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. Default: None.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_RemotelyAccessibleRegistryPaths
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPaths
+```
+
+
+
+
+Network access: Remotely accessible registry paths This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
+
+> [!NOTE]
+> This security setting isn't available on earlier versions of Windows. The security setting that appears on computers running Windows XP, "Network access: Remotely accessible registry paths" corresponds to the "Network access: Remotely accessible registry paths and subpaths" security option on members of the Windows Server 2003 family. For more information, see Network access: Remotely accessible registry paths and subpaths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths
+```
+
+
+
+
+Network access: Remotely accessible registry paths and subpaths This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\Wins Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
+
+> [!NOTE]
+> On Windows XP, this security setting was called "Network access: Remotely accessible registry paths". If you configure this setting on a member of the Windows Server 2003 family that's joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option. For more information, see Network access: Remotely accessible registry paths and subpaths.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
## NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
@@ -1646,6 +2633,130 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
+
+## NetworkAccess_SharesThatCanBeAccessedAnonymously
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_SharesThatCanBeAccessedAnonymously
+```
+
+
+
+
+Network access: Shares that can be accessed anonymously This security setting determines which network shares can accessed by anonymous users. Default: None specified.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## NetworkAccess_SharingAndSecurityModelForLocalAccounts
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_SharingAndSecurityModelForLocalAccounts
+```
+
+
+
+
+Network access: Sharing and security model for local accounts This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify. Default on domain computers: Classic. Default on stand-alone computers: Guest only Important With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Windows Firewall or another similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources.
+
+> [!NOTE]
+> This setting doesn't affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services. Remote Desktop Services was called Terminal Services in previous versions of Windows Server. This policy will have no impact on computers running Windows 2000. When the computer isn't joined to a domain, this setting also modifies the Sharing and Security tabs in File Explorer to correspond to the sharing and security model that's being used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## NetworkSecurity_AllowLocalSystemNULLSessionFallback
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemNULLSessionFallback
+```
+
+
+
+
+Network security: Allow LocalSystem NULL session fallback Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
## NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
@@ -1961,6 +3072,53 @@ Network security LAN Manager authentication level This security setting determin
+
+## NetworkSecurity_LDAPClientSigningRequirements
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_LDAPClientSigningRequirements
+```
+
+
+
+
+Network security: LDAP client signing requirements This security setting determines the level of data signing that's requested on behalf of clients issuing LDAP BIND requests, as follows: None: The LDAP BIND request is issued with the options that are specified by the caller. Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) hasn't been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response doesn't indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.
+
+> [!CAUTION]
+> If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.
+
+> [!NOTE]
+> This setting doesn't have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller. Default: Negotiate signing.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
## NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
@@ -2320,6 +3478,97 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
+
+## RecoveryConsole_AllowAutomaticAdministrativeLogon
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
+```
+
+
+
+
+Recovery console: Allow automatic administrative logon This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console doesn't require you to provide a password, and it automatically logs on to the system. Default: This policy isn't defined and automatic administrative logon isn't allowed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Recovery console: Allow automatic administrative logon |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders
+```
+
+
+
+
+Recovery console: Allow floppy copy and access to all drives and all folders Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on the computer. AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. NoCopyPrompt: Don't prompt when overwriting an existing file. Default: This policy isn't defined and the recover console SET command isn't available.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@@ -2436,6 +3685,138 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
+
+## SystemCryptography_ForceStrongKeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemCryptography_ForceStrongKeyProtection
+```
+
+
+
+
+System Cryptography: Force strong key protection for user keys stored on the computer This security setting determines if users' private keys require a password to be used. The options are: User input isn't required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Public key infrastructure. Default: This policy isn't defined.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+```
+
+
+
+
+System objects: Require case insensitivity for non-Windows subsystems This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting doesn't allow the Win32 subsystem to become case sensitive. Default: Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | System objects: Require case insensitivity for non-Windows subsystems |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
+
+
+
+
+
+
+
+
+## SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects
+```
+
+
+
+
+System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who aren't administrators to read shared objects but not allowing these users to modify shared objects that they didn't create. Default: Enabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+
+
+
+
+
## UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index cf9c04b176..9c9630b5ac 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/28/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -293,7 +293,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
-This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
+This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
@@ -1281,7 +1281,7 @@ If the status is set to Disabled or Not Configured, Windows will check for avail
> If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
> [!NOTE]
-> This policy isn't supported on %WINDOWS_ARM_VERSION_6_2%. Setting this policy won't have any effect on %WINDOWS_ARM_VERSION_6_2% PCs.
+> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs.
@@ -1459,7 +1459,7 @@ Allows Windows Update Agent to determine the download URL when it's missing from
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later
✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 10, version 21H2 [10.0.19044.1288] and later
✅ Windows 10, version 22H2 [10.0.19045.2130] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1528,7 +1528,7 @@ Configure this policy to specify whether to receive **Windows Driver Updates** f
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later
✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 10, version 21H2 [10.0.19044.1288] and later
✅ Windows 10, version 22H2 [10.0.19045.2130] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1597,7 +1597,7 @@ Configure this policy to specify whether to receive **Windows Feature Updates**
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later
✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 10, version 21H2 [10.0.19044.1288] and later
✅ Windows 10, version 22H2 [10.0.19045.2130] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
@@ -1666,7 +1666,7 @@ Configure this policy to specify whether to receive **Other Updates** from Windo
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later
✅ Windows 10, version 2004 [10.0.19041.1202] and later
✅ Windows 10, version 2009 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 [10.0.19043.1202] and later
✅ Windows 10, version 21H2 [10.0.19044.1288] and later
✅ Windows 10, version 22H2 [10.0.19045.2130] and later
✅ Windows 11, version 21H2 [10.0.22000] and later |
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index c1bc7846e4..090c21984d 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/14/2023
+ms.date: 10/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -376,7 +378,7 @@ This policy setting allows you to control whether users see the first sign-in an
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -589,7 +591,6 @@ OverrideShellProgram policy allows IT admin to configure the shell program for W
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
-| Dependency [BootToCloudModeDependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|