deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20220914-winse-faq

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-09-20 13:09:58 -04:00
commit 8e17b31247
136 changed files with 7141 additions and 3168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.openpublishing.redirection.json
View File

@ -19644,6 +19644,16 @@
"source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md",
"redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/windows-10-accessibility-for-ITPros.md",
"redirect_url": "/windows/configuration/windows-accessibility-for-ITPros",
"redirect_document_id": false
}
]
}

22
CONTRIBUTING.md
View File

@ -2,7 +2,7 @@
Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
This page covers the basic steps for editing our technical documentation.
For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://docs.microsoft.com/contribute/).
For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://learn.microsoft.com/contribute/).
## Sign a CLA
@ -19,10 +19,10 @@ We've tried to make editing an existing, public file as simple as possible.
### To edit a topic
1. Browse to the [Microsoft Docs](https://docs.microsoft.com/) article that you want to update.
1. Browse to the [Microsoft Docs](https://learn.microsoft.com/) article that you want to update.
> **Note**<br>
> If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main).
> If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.learn.microsoft.com/help/get-started/edit-article-in-github?branch=main).
1. Then select the **Pencil** icon.
@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible.
![GitHub Web, showing the Pencil icon.](images/pencil-icon.png)
1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
1. Make your suggested change, and then select **Preview changes** to make sure it looks correct.
@ -57,16 +57,16 @@ We've tried to make editing an existing, public file as simple as possible.
The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics:
- [Windows client documentation for IT Pros](https://docs.microsoft.com/windows/resources/)
- [Microsoft Store](https://docs.microsoft.com/microsoft-store)
- [Windows 10 for Education](https://docs.microsoft.com/education/windows)
- [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
- [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/)
- [Windows client documentation for IT Pros](https://learn.microsoft.com/windows/resources/)
- [Microsoft Store](https://learn.microsoft.com/microsoft-store)
- [Windows 10 for Education](https://learn.microsoft.com/education/windows)
- [Windows 10 for SMB](https://learn.microsoft.com/windows/smb)
- [Internet Explorer 11](https://learn.microsoft.com/internet-explorer/)
## Making more substantial changes
To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content.
For info about creating a fork or clone, see [Set up a local Git repository](https://docs.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
For info about creating a fork or clone, see [Set up a local Git repository](https://learn.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Finally, open a pull request back to the main branch of the official repo.
@ -82,4 +82,4 @@ In the new issue form, enter a brief title. In the body of the form, describe th
- You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
- You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference).
- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference).

56
bcs/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
"extendBreadcrumb": true,
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "bcs-vsts",
"markdownEngineName": "dfm"
}
}

75
devices/hololens/docfx.json
View File

@ -1,75 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/**.yml"
],
"exclude": [
"**/obj/**",
"devices/hololens/**",
"**/includes/**"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg",
"**/*.gif"
],
"exclude": [
"**/obj/**",
"devices/hololens/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"audience": "ITPro",
"manager": "dansimp",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.itpro-hololens",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "devices/hololens",
"markdownEngineName": "markdig"
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
]
}

63
devices/surface-hub/docfx.json
View File

@ -1,63 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/**.md",
"**/**.yml"
],
"exclude": [
"**/obj/**"
]
}
],
"resource": [
{
"files": [
"**/images/**",
"**/*.pptx",
"**/*.pdf"
],
"exclude": [
"**/obj/**"
]
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"manager": "dansimp",
"ms.mktglfcycl": "manage",
"ms.sitesec": "library",
"ms.date": "05/23/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.surface-hub",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
],
"titleSuffix": "Surface Hub"
},
"externalReference": [],
"template": "op.html",
"dest": "devices/surface-hub",
"markdownEngineName": "markdig"
}
}

59
devices/surface/docfx.json
View File

@ -1,59 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/**.md",
"**/**.yml"
],
"exclude": [
"**/obj/**"
]
}
],
"resource": [
{
"files": [
"**/images/**"
],
"exclude": [
"**/obj/**"
]
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"manager": "dansimp",
"ms.date": "05/09/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.surface",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
],
"titleSuffix": "Surface"
},
"externalReference": [],
"template": "op.html",
"dest": "devices/surface",
"markdownEngineName": "markdig"
}
}

49
education/includes/education-content-updates.md
View File

@ -2,6 +2,16 @@
## Week of September 12, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 9/13/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 9/14/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 9/14/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
## Week of September 05, 2022
@ -40,42 +50,3 @@
| Published On |Topic title | Change |
|------|------------|--------|
| 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
## Week of August 08, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 8/10/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
| 8/10/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
| 8/10/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
| 8/10/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 8/10/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
| 8/10/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 8/10/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
| 8/10/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
| 8/10/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
| 8/10/2022 | [Enable S mode on Surface Go devices for Education](/education/windows/enable-s-mode-on-surface-go-devices) | modified |
| 8/10/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
| 8/10/2022 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified |
| 8/10/2022 | [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](/education/windows/s-mode-switch-to-edu) | modified |
| 8/10/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
| 8/10/2022 | [Azure AD Join with Set up School PCs app](/education/windows/set-up-school-pcs-azure-ad-join) | modified |
| 8/10/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
| 8/10/2022 | [Shared PC mode for school devices](/education/windows/set-up-school-pcs-shared-pc-mode) | modified |
| 8/10/2022 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified |
| 8/10/2022 | [What's new in the Windows Set up School PCs app](/education/windows/set-up-school-pcs-whats-new) | modified |
| 8/10/2022 | [Set up student PCs to join domain](/education/windows/set-up-students-pcs-to-join-domain) | modified |
| 8/10/2022 | [Provision student PCs with apps](/education/windows/set-up-students-pcs-with-apps) | modified |
| 8/10/2022 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified |
| 8/10/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
| 8/10/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
| 8/10/2022 | [Set up Take a Test on a single PC](/education/windows/take-a-test-single-pc) | modified |
| 8/10/2022 | [Take tests in Windows 10](/education/windows/take-tests-in-windows-10) | modified |
| 8/10/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
| 8/10/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
| 8/10/2022 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified |
| 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
| 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
| 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |

2
education/index.yml
View File

@ -73,7 +73,7 @@ productDirectory:
text: IT admin help
- url: https://support.office.com/education
text: Education help center
- url: /learn/educator-center/
- url: /training/educator-center/
text: Teacher training packs
# Card
- title: Check out our education journey

14
education/windows/TOC.yml
View File

@ -28,18 +28,22 @@ items:
href: set-up-school-pcs-shared-pc-mode.md
- name: Windows 10 configuration recommendations for education customers
href: configure-windows-for-education.md
- name: Take tests and assessments in Windows
href: take-tests-in-windows-10.md
- name: How-to-guides
items:
- name: Use the Set up School PCs app
href: use-set-up-school-pcs-app.md
- name: Take tests and assessments in Windows
- name: Configure education features
items:
- name: Overview
href: take-tests-in-windows-10.md
- name: Configure education themes
href: edu-themes.md
- name: Configure Stickers
href: edu-stickers.md
- name: Configure Take a Test on a single PC
href: take-a-test-single-pc.md
- name: Configure a Test on multiple PCs
href: take-a-test-multiple-pcs.md
- name: Use the Set up School PCs app
href: use-set-up-school-pcs-app.md
- name: Change Windows edition
items:
- name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode

77
education/windows/edu-stickers.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Configure Stickers for Windows 11 SE
description: Description of the Stickers feature and how to configure it via Intune and provisioning package.
ms.date: 09/15/2022
ms.prod: windows
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: education
appliesto:
- ✅ <b>Windows 11 SE, version 22H2</b>
---
# Configure Stickers for Windows 11 SE
Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students.
:::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
Stickers are simple to use, and give students an easy way to express themselves by decorating their desktop, helping to make learning fun.
## Benefits of Stickers
When students feel like they can express themselves at school, they pay more attention and learn, which benefits students, teachers, and the school community. Self-expression is critical to well-being and success at school. Customizing a device is one way to express a personal brand.
With Stickers, students feel more attached to the device as they feel as if it's their own, they take better care of it, and it's more likely to last.
## Enable Stickers
Stickers aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To enable Stickers using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
Assign the policy to a security group that contains as members the devices or users that you want to enable Stickers on.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure Stickers using a provisioning package, use the following settings:
| Setting |
|--------|
| <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>|
Apply the provisioning package to the devices that you want to enable Stickers on.
---
## How to use Stickers
Once the Stickers feature is enabled, the sticker editor can be opened by either:
- using the contextual menu on the desktop and selecting the option **Add or edit stickers**
- opening the Settings app > **Personalization** > **Background** > **Add stickers**
:::image type="content" source="./images/win-11-se-stickers-menu.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true":::
Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned or deleted from the desktop by using the mouse, keyboard, or touch.
:::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true":::
Select the *X button* at the top of the screen to save your progress and close the sticker editor.
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

64
education/windows/edu-themes.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Configure education themes for Windows 11
description: Description of education themes for Windows 11 and how to configure them via Intune and provisioning package.
ms.date: 09/15/2022
ms.prod: windows
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: education
appliesto:
- ✅ <b>Windows 11, version 22H2</b>
- ✅ <b>Windows 11 SE, version 22H2</b>
---
# Configure education themes for Windows 11
Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true":::
Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
## Enable education themes
Education themes aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To enable education themes using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
Assign the policy to a security group that contains as members the devices or users that you want to enable education themes on.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure education themes using a provisioning package, use the following settings:
| Setting |
|--------|
| <li> Path: **`Education/EnableEduThemes`** </li><li>Value: **True**</li>|
Apply the provisioning package to the devices that you want to enable education themes on.
---
## How to use the education themes
Once the education themes are enabled, the device will download them as soon as a user signs in to the device.
To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true":::
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

BIN
education/windows/images/win-11-se-stickers-animation.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 MiB

BIN
education/windows/images/win-11-se-stickers-menu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 357 KiB

BIN
education/windows/images/win-11-se-stickers-picker.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 433 KiB

BIN
education/windows/images/win-11-se-stickers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 548 KiB

BIN
education/windows/images/win-11-se-themes-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 668 KiB

BIN
education/windows/images/win-11-se-themes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 300 KiB

6
education/windows/index.yml
View File

@ -47,6 +47,12 @@ landingContent:
url: windows-11-se-overview.md
- text: Windows 11 SE settings
url: windows-11-se-settings-list.md
- linkListType: whats-new
links:
- text: Configure education themes
url: edu-themes.md
- text: Configure Stickers
url: edu-stickers.md
- linkListType: video
links:
- text: Deploy Windows 11 SE using Set up School PCs

3
education/windows/windows-11-se-overview.md
View File

@ -87,7 +87,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| AirSecure | 8.0.0 | Win32 | AIR |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Brave Browser | 1.34.80 | Win32 | Brave |
| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb |
| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco |
@ -119,7 +118,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Mozilla Firefox | 99.0.1 | Win32 | Mozilla |
| NAPLAN | 2.5.0 | Win32 | NAP |
| Netref Student | 22.2.0 | Win32 | NetRef |
| NetSupport Manager | 12.01.0011 | Win32 | NetSupport |
| NetSupport Manager | 12.01.0014 | Win32 | NetSupport |
| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport |
| NetSupport School | 14.00.0011 | Win32 | NetSupport |
| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies |

55
gdpr/docfx.json
View File

@ -1,55 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"author": "eross-msft",
"ms.author": "lizross",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "gdpr",
"markdownEngineName": "dfm"
}
}

63
mdop/docfx.json
View File

@ -1,63 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/**.md",
"**/**.yml"
],
"exclude": [
"**/obj/**"
]
}
],
"resource": [
{
"files": [
"**/images/**"
],
"exclude": [
"**/obj/**"
]
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"audience": "ITPro",
"manager": "dansimp",
"ms.prod": "w10",
"ms.author": "dansimp",
"author": "dansimp",
"ms.sitesec": "library",
"ms.topic": "article",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "https://github.com/MicrosoftDocs/mdop-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.mdop",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
],
"titleSuffix": "Microsoft Desktop Optimization Pack"
},
"externalReference": [],
"template": "op.html",
"dest": "mdop",
"markdownEngineName": "markdig"
}
}

2
store-for-business/whats-new-microsoft-store-business-education.md
View File

@ -41,7 +41,7 @@ We've been working on bug fixes and performance improvements to provide you a be
| ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](./manage-private-store-settings.md#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
|| ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
|| ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.learn.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-->
## Previous releases and updates

12
template.md
View File

@ -28,7 +28,7 @@ When you create a new markdown file article, **Save as** this template to a new
## Metadata
The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.learn.microsoft.com/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
- You _must_ have a space between the colon (`:`) and the value for a metadata element.
@ -65,7 +65,7 @@ The full metadata block is above the markdown between the `---` lines. For more
All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
- [Docs Markdown reference in the Contributor Guide](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main)
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
@ -79,7 +79,7 @@ Second-level headings (`##`, also known as H2) generate the on-page TOC that app
Limit the length of second-level headings to avoid excessive line wraps.
Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
@ -111,7 +111,7 @@ _Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps di
>
> It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
### Article in the same repo
@ -149,7 +149,7 @@ There's a broken link report that runs once a week in the build system, get the
Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
## Lists
@ -289,4 +289,4 @@ Always include alt text for accessibility, and always end it with a period.
## docs.ms extensions
> [!div class="nextstepaction"]
> [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/mem/configmgr)
> [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)

61
windows/access-protection/docfx.json
View File

@ -1,61 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg",
"**/*.gif"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-access-protection",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "win-access-protection",
"markdownEngineName": "markdig"
}
}

3
windows/client-management/manage-corporate-devices.md
View File

@ -44,6 +44,3 @@ You can use the same management tools to manage all device types running Windows
[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/learn/)
 

12
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -531,6 +531,18 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Local Administrator Password Solution CSP](laps-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|Yes|Yes|Yes|Yes|Yes|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[MultiSIM CSP](multisim-csp.md)

7
windows/client-management/mdm/devicestatus-csp.md
View File

@ -71,6 +71,8 @@ DeviceStatus
--------VirtualizationBasedSecurityHwReq
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
----CertAttestation
--------MDMClientCertAttestation
```
<a href="" id="devicestatus"></a>**DeviceStatus**
@ -363,6 +365,11 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
Supported operation is Get.
<a href="" id="devicestatus-certattestation-mdmclientcertattestation"></a>**DeviceStatus/CertAttestation/MDMClientCertAttestation**
Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields.
Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

42
windows/client-management/mdm/devicestatus-ddf.md
View File

@ -881,6 +881,48 @@ The XML below is for Windows 10, version 1803.
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CertAttestation</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Node for Certificate Attestation</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>MDMClientCertAttestation</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

2
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -565,7 +565,7 @@ The data type is string.
Default string is as follows:
`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
`https://learn.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
Add **SDDL**

8
windows/client-management/mdm/diagnosticlog-ddf.md
View File

@ -2028,7 +2028,7 @@ The content below are the latest versions of the DDF files:
<Delete />
<Replace />
</AccessType>
<Description>SDDL String controlling access to the channel. Default: https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
<Description>SDDL String controlling access to the channel. Default: https://learn.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
<DFFormat>
<chr />
</DFFormat>
@ -2178,9 +2178,3 @@ The content below are the latest versions of the DDF files:
 
 

2
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -219,7 +219,7 @@ Requirements:
4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
5. Copy the PolicyDefinitions folder to `\\SYSVOL\contoso.com\policies\PolicyDefinitions`.
5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.

8
windows/client-management/mdm/euiccs-csp.md
View File

@ -40,6 +40,7 @@ eUICCs
------------ServerName
----------------DiscoveryState
----------------AutoEnable
----------------IsDiscoveryServer
--------Profiles
------------ICCID
----------------ServerName
@ -112,6 +113,13 @@ Supported operations are Add, Get, and Replace.
Value type is bool.
<a href="" id="euicc-downloadservers-servername-isdiscoveryserver"></a>**_eUICC_/DownloadServers/_ServerName_/IsDiscoveryServer**
Optional. Indicates whether the server is a discovery server. This setting must be defined by the MDM when the ServerName subtree is created.
Supported operations are Add, Get, and Replace.
Value type is bool. Default value is false.
<a href="" id="euicc-profiles"></a>**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.

24
windows/client-management/mdm/euiccs-ddf-file.md
View File

@ -247,6 +247,30 @@ The XML below if for Windows 10, version 1803.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsDiscoveryServer</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Indicates whether the server is a discovery server. Optional, default value is false.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>

8
windows/client-management/mdm/healthattestation-ddf.md
View File

@ -92,7 +92,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
<Description>Provides the current status of the device health request. For the complete list of status see https://learn.microsoft.com/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
<DFFormat>
<int />
</DFFormat>
@ -456,9 +456,3 @@ The XML below is the current version for this CSP.
 
 

760
windows/client-management/mdm/laps-csp.md Normal file
View File

@ -0,0 +1,760 @@
---
title: Local Administrator Password Solution CSP
description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
ms.author: jsimmons
ms.topic: article
ms.prod: w11
ms.technology: windows
author: jsimmons
ms.localizationpriority: medium
ms.date: 07/04/2022
ms.reviewer: jsimmons
manager: jsimmons
---
# Local Administrator Password Solution CSP
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.
> [!IMPORTANT]
> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
The following example shows the LAPS CSP in tree format.
```xml
./Device/Vendor/MSFT
LAPS
----Policies
--------BackupDirectory
--------PasswordAgeDays
--------PasswordLength
--------PasswordComplexity
--------PasswordExpirationProtectionEnabled
--------AdministratorAccountName
--------ADPasswordEncryptionEnabled
--------ADPasswordEncryptionPrincipal
--------ADEncryptedPasswordHistorySize
--------PostAuthenticationResetDelay
--------PostAuthenticationActions
----Actions
--------ResetPassword
--------ResetPasswordStatus
```
The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
|Setting name|Azure-joined|Hybrid-joined|
|---|---|---|
|BackupDirectory|Yes|Yes
|PasswordAgeDays|Yes|Yes
|PasswordLength|Yes|Yes|
|PasswordComplexity|Yes|Yes|
|PasswordExpirationProtectionEnabled|No|Yes|
|AdministratorAccountName|Yes|Yes|
|ADPasswordEncryptionEnabled|No|Yes|
|ADPasswordEncryptionPrincipal|No|Yes|
|ADEncryptedPasswordHistorySize|No|Yes|
|PostAuthenticationResetDelay|Yes|Yes|
|PostAuthenticationActions|Yes|Yes|
|ResetPassword|Yes|Yes|
|ResetPasswordStatus|Yes|Yes|
> [!IMPORTANT]
> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see the TBD reference on LAPS policy configuration.
## ./Device/Vendor/MSFT/LAPS
Defines the root node for the LAPS CSP.
<!--Policy-->
### Policies
Defines the interior parent node for all configuration-related settings in the LAPS CSP.
<!--/Policy-->
<!--Policy-->
### BackupDirectory
<!--Description-->
Allows the administrator to configure which directory the local administrator account password is backed up to.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--SupportedValues-->
The allowable settings are:
|Value|Description of setting|
|--- |--- |
|0|Disabled (password won't be backed up)|
|1|Back up the password to Azure AD only|
|2|Back up the password to Active Directory only|
If not specified, this setting will default to 0 (disabled).
<!--/SupportedValues-->
<!--/Policy-->
<!--Policy-->
### PasswordAgeDays
<!--Description-->
Use this policy to configure the maximum password age of the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, this setting will default to 30 days
This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD.
This setting has a maximum allowed value of 365 days.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PasswordComplexity
<!--Description-->
Use this setting to configure password complexity of the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
The allowable settings are:
|Value|Description of setting|
|--- |--- |
|1|Large letters|
|2|Large letters + small letters|
|3|Large letters + small letters + numbers|
|4|Large letters + small letters + numbers + special characters|
If not specified, this setting will default to 4.
> [!IMPORTANT]
> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PasswordLength
<!--Description-->
Use this setting to configure the length of the password of the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, this setting will default to 14 characters.
This setting has a minimum allowed value of 8 characters.
This setting has a maximum allowed value of 64 characters.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### AdministratorAccountName
<!--Description-->
Use this setting to configure the name of the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
If specified, the specified account's password will be managed.
> [!IMPORTANT]
> If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created.
<!--/SupportedValues-->
Data type is string.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PasswordExpirationProtectionEnabled
<!--Description-->
Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
When this setting is set to True, planned password expiration that would result in a password age greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy.
If not specified, this setting defaults to True.
> [!IMPORTANT]
> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
<!--/SupportedValues-->
Data type is boolean.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### ADPasswordEncryptionEnabled
<!--Description-->
Use this setting to configure whether the password is encrypted before being stored in Active Directory.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
This setting is ignored if the password is currently being stored in Azure.
If this setting is set to True, and the Active Directory domain meets the 2016 DFL prerequisite, the password is encrypted before being stored in Active Directory.
If this setting is missing or set to False, or the Active Directory domain doesn't meet the DFL prerequisite, the password is stored as clear-text in Active Directory.
If not specified, this setting defaults to False.
> [!IMPORTANT]
> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
<!--/SupportedValues-->
Data type is boolean.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### ADPasswordEncryptionPrincipal
<!--Description-->
Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
This setting is ignored if the password is currently being stored in Azure.
If not specified, the password can only be decrypted by the Domain Admins group in the device's domain.
If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
If the specified user or group account is invalid the device will fall back to using the Domain Admins group in the device's domain.
> [!IMPORTANT]
> The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
>
> "S-1-5-21-2127521184-1604012920-1887927527-35197"
>
> "contoso\LAPSAdmins"
>
> "lapsadmins@contoso.com"
>
> The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
> [!IMPORTANT]
> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
<!--/SupportedValues-->
Data type is string.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### ADEncryptedPasswordHistorySize
<!--Description-->
Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.
> [!IMPORTANT]
> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PostAuthenticationResetDelay
<!--Description-->
Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below).
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
If not specified, this setting will default to 24 hours.
This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
This setting has a maximum allowed value of 24 hours.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
### PostAuthenticationActions
<!--Description-->
Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above).
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
This setting can have ONE of the following values:
|Value|Name|Action(s) taken upon expiry of the grace period|
|--- |--- |--- |
|1|Reset password|The managed account password will be reset|
|3|Reset password and log off|The managed account password will be reset and any interactive logon sessions using the managed account will be terminated|
|5|Reset password and reboot|The managed account password will be reset and the managed device will be immediately rebooted.|
If not specified, this setting will default to 3.
> [!IMPORTANT]
> The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss.
> [!IMPORTANT]
> From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
## Actions
Defines the parent interior node for all action-related settings in the LAPS CSP.
<!--/Policy-->
<!--Policy-->
### ResetPassword
<!--Description-->
Use this Execute action to request an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
<!--/SupportedValues-->
Data type is integer.
Supported operations are Execute.
<!--/Policy-->
<!--Policy-->
### ResetPasswordStatus
<!--Description-->
Use this setting to query the status of the last submitted ResetPassword action.
<!--/Description-->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<!--SupportedValues-->
The value returned is an HRESULT code.
S_OK (0x0) - the last submitted ResetPassword action succeeded.
E_PENDING (0x8000000) - the last submitted ResetPassword action is still executing.
other - the last submitted ResetPassword action encountered the returned error.
<!--/SupportedValues-->
Data type is integer.
Supported operations are Get.
<!--/Policy-->
### SyncML examples
The following examples are provided to show proper format and shouldn't be taken as a recommendation.
#### Azure-joined device backing password up to Azure AD
This example is configuring an Azure-joined device to back up its password to Azure Active Directory:
```xml
<SyncMl xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdId>1</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdId>2</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>7</Data>
</Item>
</Add>
<Add>
<CmdId>3</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>4</Data>
</Item>
</Add>
<Add>
<CmdId>4</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>32</Data>
</Item>
</Add>
<Add>
<CmdId>5</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>ContosoLocalLapsAdmin</Data>
</Item>
</Add>
<Add>
<CmdId>6</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>8</Data>
</Item>
</Add>
<Add>
<CmdId>7</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Add>&lt;Final/&gt;</SyncBody>
</SyncMl>
```
#### Hybrid-joined device backing password up to Active Directory
This example is configuring a hybrid device to back up its password to Active Directory with password encryption enabled:
```xml
<SyncMl xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdId>1</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdId>2</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>20</Data>
</Item>
</Add>
<Add>
<CmdId>3</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdId>4</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>14</Data>
</Item>
</Add>
<Add>
<CmdId>5</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>ContosoLocalLapsAdmin</Data>
</Item>
</Add>
<Add>
<CmdId>6</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Add>
<Add>
<CmdId>7</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Add>
<Add>
<CmdId>8</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>LAPSAdmins@contoso.com</Data>
</Item>
</Add>
<Add>
<CmdId>9</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>6</Data>
</Item>
</Add>
<Add>
<CmdId>10</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>4</Data>
</Item>
</Add>
<Add>
<CmdId>11</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>5</Data>
</Item>
</Add>&lt;Final/&gt;</SyncBody>
</SyncMl>
```
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

654
windows/client-management/mdm/laps-ddf-file.md Normal file
View File

@ -0,0 +1,654 @@
---
title: LAPS DDF file
description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider.
ms.author: jsimmons
ms.topic: article
ms.prod: w11
ms.technology: windows
author: jsimmons
ms.localizationpriority: medium
ms.date: 07/04/2022
ms.reviewer: jsimmons
manager: jsimmons
---
# Local Administrator Password Solution DDF file
This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<identity
xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
owner="Microsoft"
namespace="Windows-DeviceManagement-CspDefinition"
name="LAPS">
<cspDefinition>
<MgmtTree>
<VerDTD>1.2</VerDTD>
<BinaryPath>"%windir%\system32\LapsCSP.dll</BinaryPath>
<Diagnostics></Diagnostics>
<ComClsid>{298a6f17-03e7-4bd4-971c-544f359527b7}</ComClsid>
<Node>
<NodeName>LAPS</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The root node for the LAPS configuration service provider.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.0</CspVersion>
</Applicability>
<ExposedTo>
<Mdm />
</ExposedTo>
</DFProperties>
<Node>
<NodeName>Policies</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node for LAPS policies.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Policies</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
<AtomicRequired />
</DFProperties>
<Node>
<NodeName>BackupDirectory</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Use this setting to configure which directory the local admin account password is backed up to.
The allowable settings are:
0=Disabled (password will not be backed up)
1=Backup the password to Azure AD only
2=Backup the password to Active Directory only
If not specified, this setting will default to 0.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Disabled (password will not be backed up)</ValueDescription>
</Enum>
<Enum>
<Value>1</Value>
<ValueDescription>Backup the password to Azure AD only</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Backup the password to Active Directory only</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PasswordAgeDays</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>30</DefaultValue>
<Description>Use this policy to configure the maximum password age of the managed local administrator account.
If not specified, this setting will default to 30 days
This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
This setting has a maximum allowed value of 365 days.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="Range">
<Value>[1-365]</Value>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<DependencyChangedAllowedValues ValueType="Range">
<Value>[7-365]</Value>
</DependencyChangedAllowedValues>
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>BackupDirectory configured to Azure AD</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>PasswordComplexity</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>4</DefaultValue>
<Description>Use this setting to configure password complexity of the managed local administrator account.
The allowable settings are:
1=Large letters
2=Large letters + small letters
3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters
If not specified, this setting will default to 4.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>Large letters</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Large letters + small letters</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Large letters + small letters + numbers</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Large letters + small letters + numbers + special characters</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PasswordLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>14</DefaultValue>
<Description>Use this setting to configure the length of the password of the managed local administrator account.
If not specified, this setting will default to 14 characters.
This setting has a minimum allowed value of 8 characters.
This setting has a maximum allowed value of 64 characters.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="Range">
<Value>[8-64]</Value>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AdministratorAccountName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Use this setting to configure the name of the managed local administrator account.
If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
If specified, the specified account's password will be managed.
Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PasswordExpirationProtectionEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>True</DefaultValue>
<Description>Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
If not specified, this setting defaults to True.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>false</Value>
<ValueDescription>Allow configured password expiriration timestamp to exceed maximum password age</ValueDescription>
</Enum>
<Enum>
<Value>true</Value>
<ValueDescription>Do not allow configured password expiriration timestamp to exceed maximum password age</ValueDescription>
</Enum>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ADPasswordEncryptionEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to configure whether the password is encrypted before being stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory.
If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>false</Value>
<ValueDescription>Store the password in clear-text form in Active Directory</ValueDescription>
</Enum>
<Enum>
<Value>true</Value>
<ValueDescription>Store the password in encrypted form in Active Directory</ValueDescription>
</Enum>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ADPasswordEncryptionPrincipal</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ADEncryptedPasswordHistorySize</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="Range">
<Value>[0-12]</Value>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>PostAuthenticationResetDelay</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>24</DefaultValue>
<Description>Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
If not specified, this setting will default to 24 hours.
This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
This setting has a maximum allowed value of 24 hours.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="Range">
<Value>[0-24]</Value>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PostAuthenticationActions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>3</DefaultValue>
<Description>Use this setting to specify the actions to take upon expiration of the configured grace period.
If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>Reset password: upon expiry of the grace period, the managed account password will be reset.</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Actions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Actions</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ResetPassword</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<AsynchronousTracking ResourceSuccessURI="ResetPasswordStatus" ResourceSuccessValues="0" ResourceInProgressValues="10" ResourceFailureValues="20"/>
</DFProperties>
</Node>
<Node>
<NodeName>ResetPasswordStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Use this setting to query the status of the last submitted ResetPassword execute action.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ResetPasswordStatus</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
</cspDefinition>
</identity>
```
## Related articles
[LAPS configuration service provider](laps-csp.md)

146
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

File diff suppressed because one or more lines are too long

47
windows/client-management/mdm/personaldataencryption-csp.md Normal file
View File

@ -0,0 +1,47 @@
---
title: PersonalDataEncryption CSP
description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices.
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.localizationpriority: medium
ms.date: 09/12/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
---
# PersonalDataEncryption CSP
The PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
The following shows the PersonalDataEncryption configuration service provider in tree format:
```
./User/Vendor/MSFT/PDE
-- EnablePersonalDataEncryption
-- Status
-------- PersonalDataEncryptionStatus
```
**EnablePersonalDataEncryption**:
- 0 is default (disabled)
- 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for the PDE to be enabled.
**Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE aren't met, then the status will be 0. If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
> [!Note]
> The policy is only applicable on Enterprise and Education SKUs.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|

127
windows/client-management/mdm/personaldataencryption-ddf-file.md Normal file
View File

@ -0,0 +1,127 @@
---
title: PersonalDataEncryption DDF file
description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider.
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.localizationpriority: medium
ms.date: 09/10/2022
ms.reviewer:
manager: dansimp
---
# PersonalDataEncryption DDF file
This topic shows the OMA DM device description framework (DDF) for the **PersonalDataEncryption** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>PDE</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnablePersonalDataEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable Personal Data Encryption. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable Personal Data Encryption.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable Personal Data Encryption.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>PersonalDataEncryptionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports the current state of Personal Data Encryption for a user. '0' means disabled. '1' means enabled.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

10
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -1559,6 +1559,16 @@ ms.date: 10/08/2020
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources)
- [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller)
- [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles)
- [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride)
- [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource)
- [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol)
- [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings)
- [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources)
- [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures)
- [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)

118
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -5173,6 +5173,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_WindowsRemoteManagement policies
<dl>
@ -6303,6 +6304,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### DesktopAppInstaller policies
<dl>
<dd>
<a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources" id="desktopappinstaller-enableadditionalsources">DesktopAppInstaller/EnableAdditionalSources</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller"id="desktopappinstaller-enableappinstaller">DesktopAppInstaller/EnableAppInstaller</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enabledefaultsource"id="desktopappinstaller-enabledefaultsource">DesktopAppInstaller/EnableDefaultSource</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablelocalmanifestfiles"id="desktopappinstaller-enablelocalmanifestfiles">DesktopAppInstaller/EnableLocalManifestFiles</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablehashoverride"id="desktopappinstaller-enablehashoverride">DesktopAppInstaller/EnableHashOverride</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablemicrosoftstoresource"id="desktopappinstaller-enablemicrosoftstoresource">DesktopAppInstaller/EnableMicrosoftStoreSource</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablemsappinstallerprotocol"id="desktopappinstaller-enablemsappinstallerprotocol">DesktopAppInstaller/EnableMSAppInstallerProtocol</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablesettings"id="desktopappinstaller-enablesettings">DesktopAppInstaller/EnableSettings</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enableallowedsources"id="desktopappinstaller-enableallowedsources">DesktopAppInstaller/EnableAllowedSources</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enableexperimentalfeatures"id="desktopappinstaller-enableexperimentalfeatures">DesktopAppInstaller/EnableExperimentalFeatures</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-sourceautoupdateinterval"id="desktopappinstaller-sourceautoupdateinterval">DesktopAppInstaller/SourceAutoUpdateInterval</a>
</dd>
</dl>
### DeviceGuard policies
<dl>
@ -6550,6 +6588,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-experience.md#experience-allowsyncmysettings" id="experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
</dd>
<dd>
<a href="./policy-csp-experience.md#experience-allowspotlightcollection" id="experience-allowspotlightcollection">Experience/AllowSpotlightCollection</a>
</dd>
<dd>
<a href="./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata" id="experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
</dd>
@ -7895,6 +7936,42 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
### Printers policies
<dl>
<dd>
<a href="./policy-csp-printers.md#printers-approvedusbprintdevices" id="printers-approvedusbprintdevices">Printers/ApprovedUsbPrintDevices</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-approvedusbprintdevicesuser" id="printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configurecopyfilespolicy" id="printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configuredrivervalidationlevel" id="printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configureipppagecountspolicy" id="printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configureredirectionguardpolicy" id="printers-configureredirectionguardpolicy">Printers/ConfigureRedirectionGuardPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configurerpcconnectionpolicy" id="printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configurerpclistenerpolicy" id="printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configurerpctcpport" id="printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-enabledevicecontrol" id="printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-enabledevicecontroluser" id="printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-managedriverexclusionlist" id="printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-pointandprintrestrictions" id="printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
</dd>
@ -7904,6 +7981,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-printers.md#printers-publishprinters" id="printers-publishprinters">Printers/PublishPrinters</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-restrictdriverinstallationtoadministrators" id="printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
</dd>
</dl>
### Privacy policies
@ -8360,6 +8440,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-search.md#search-disableremovabledriveindexing" id="search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
</dd>
<dd>
<a href="./policy-csp-search.md#search-disablesearch" id="search-disablesearch">Search/DisableSearch</a>
</dd>
<dd>
<a href="./policy-csp-search.md#search-donotusewebresults" id="search-donotusewebresults">Search/DoNotUseWebResults</a>
</dd>
@ -8515,6 +8598,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-start.md#start-disablecontextmenus" id="start-disablecontextmenus">Start/DisableContextMenus</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-disablecontrolcenter" id="start-disablecontrolcenter">Start/DisableControlCenter</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-disableeditingquicksettings" id="start-disableeditingquicksettings">Start/DisableEditingQuickSettings</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-forcestartsize" id="start-forcestartsize">Start/ForceStartSize</a>
</dd>
@ -8545,6 +8634,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-start.md#start-hiderecentlyaddedapps" id="start-hiderecentlyaddedapps">Start/HideRecentlyAddedApps</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-hiderecommendedsection" id="start-hiderecommendedsection">Start/HideRecommendedSection</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-hiderestart" id="start-hiderestart">Start/HideRestart</a>
</dd>
@ -8560,6 +8652,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-start.md#start-hideswitchaccount" id="start-hideswitchaccount">Start/HideSwitchAccount</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-hidetaskviewbutton" id="start-hidetaskviewbutton">Start/HideTaskViewButton</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-hideusertile" id="start-hideusertile">Start/HideUserTile</a>
</dd>
@ -8569,6 +8664,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-start.md#start-nopinningtotaskbar" id="start-nopinningtotaskbar">Start/NoPinningToTaskbar</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-simplifyquicksettings" id="start-simplifyquicksettings">Start/SimplifyQuickSettings</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-startlayout" id="start-startlayout">Start/StartLayout</a>
</dd>
@ -9166,6 +9264,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### WebThreatDefense policies
<dl>
<dd>
<a href="./policy-csp-webthreatdefense.md#webthreatdefense-enableservice" id="webthreatdefense-enableservice">WebThreatDefense/EnableService</a>
</dd>
<dd>
<a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifymalicious" id="webthreatdefense-notifymalicious">WebThreatDefense/NotifyMalicious</a>
</dd>
<dd>
<a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifypasswordreuse" id="webthreatdefense-notifypasswordreuse">WebThreatDefense/NotifyPasswordReuse</a>
</dd>
<dd>
<a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifyunsafeapp" id="webthreatdefense-notifyunsafeapp">WebThreatDefense/NotifyUnsafeApp</a>
</dd>
</dl>
### Wifi policies
<dl>
@ -9308,6 +9423,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation" id="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enablemprnotifications" id="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers" id="windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>

595
windows/client-management/mdm/policy-csp-desktopappinstaller.md Normal file
View File

@ -0,0 +1,595 @@
---
title: Policy CSP - DesktopAppInstaller
description: Learn about the Policy CSP - DesktopAppInstaller.
ms.author: v-aljupudi
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: alekyaj
ms.date: 08/24/2022
ms.reviewer:
manager: aaroncz
---
# Policy CSP - DesktopAppInstaller
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## DesktopAppInstaller policies
<dl>
<dd>
<a href="#desktopappinstaller-enableadditionalsources">DesktopAppInstaller/EnableAdditionalSources</a>
</dd>
<dd>
<a href="#desktopappinstaller-enableappinstaller">DesktopAppInstaller/EnableAppInstaller</a>
</dd>
<dd>
<a href="#desktopappinstaller-enabledefaultsource">DesktopAppInstaller/EnableDefaultSource</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablelocalmanifestfiles">DesktopAppInstaller/EnableLocalManifestFiles</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablehashoverride">DesktopAppInstaller/EnableHashOverride</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablemicrosoftstoresource">DesktopAppInstaller/EnableMicrosoftStoreSource</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablemsappinstallerprotocol">DesktopAppInstaller/EnableMSAppInstallerProtocol</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablesettings">DesktopAppInstaller/EnableSettings</a>
</dd>
<dd>
<a href="#desktopappinstaller-enableallowedsources">DesktopAppInstaller/EnableAllowedSources</a>
</dd>
<dd>
<a href="#desktopappinstaller-enableexperimentalfeatures">DesktopAppInstaller/EnableExperimentalFeatures</a>
</dd>
<dd>
<a href="#desktopappinstaller-sourceautoupdateinterval">DesktopAppInstaller/SourceAutoUpdateInterval</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enableadditionalsources"></a>**DesktopAppInstaller/EnableAdditionalSources**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/).
If you don't configure this setting, no additional sources will be configured for Windows Package Manager.
If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/).
If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Additional Windows Package Manager Sources*
- GP name: *EnableAdditionalSources*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enableappinstaller"></a>**DesktopAppInstaller/EnableAppInstaller**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
- If you enable or don't configure this setting, users will be able to use the Windows Package Manager.
- If you disable this setting, users won't be able to use the Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users*
- GP name: *EnableAppInstaller*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enabledefaultsource"></a>**DesktopAppInstaller/EnableDefaultSource**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls the default source included with the Windows Package Manager.
If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed.
- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed.
- If you disable this setting the default source for the Windows Package Manager won't be available.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Default Source*
- GP name: *EnableDefaultSource*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enablelocalmanifestfiles"></a>**DesktopAppInstaller/EnableLocalManifestFiles**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether users can install packages with local manifest files.
- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Local Manifest Files*
- GP name: *EnableLocalManifestFiles*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<!--Policy-->
<a href="" id="desktopappinstaller-enablehashoverride"></a>**DesktopAppInstaller/EnableHashOverride**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest.
- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings.
- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable App Installer Hash Override*
- GP name: *EnableHashOverride*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enablemicrosoftstoresource"></a>**DesktopAppInstaller/EnableMicrosoftStoreSource**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls the Microsoft Store source included with the Windows Package Manager.
If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed.
- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source*
- GP name: *EnableMicrosoftStoreSource*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enablemsappinstallerprotocol"></a>**DesktopAppInstaller/EnableMSAppInstallerProtocol**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol.
- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol.
- If you disable this setting, users will not be able to install packages from websites that use this protocol.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable MS App Installer Protocol*
- GP name: *EnableMSAppInstallerProtocol*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enablesettings"></a>**DesktopAppInstaller/EnableSettings**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether users can change their settings. The settings are stored inside of a .json file on the users system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager.
- If you disable this setting, users will not be able to change settings for Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Settings Command*
- GP name: *EnableSettings*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enableallowedsources"></a>**DesktopAppInstaller/EnableAllowedSources**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy.
- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export.
- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Settings Command*
- GP name: *EnableAllowedSources*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enableexperimentalfeatures"></a>**DesktopAppInstaller/EnableExperimentalFeatures**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager.
- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Experimental Features*
- GP name: *EnableExperimentalFeatures*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-sourceautoupdateinterval"></a>**DesktopAppInstaller/SourceAutoUpdateInterval**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
- If you enable this setting, the number of minutes specified will be used by Windows Package Manager.
- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes*
- GP name: *SourceAutoUpdateInterval*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

47
windows/client-management/mdm/policy-csp-experience.md
View File

@ -50,6 +50,9 @@ manager: aaroncz
<dd>
<a href="#experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
</dd>
<dd>
<a href="#experience-allowspotlightcollection">Experience/AllowSpotlightCollection</a>
</dd>
<dd>
<a href="#experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
</dd>
@ -494,6 +497,50 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowspotlightcollection"></a>**Experience/AllowSpotlightCollection**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows spotlight collection on the device.
- If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings.
- If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop
- When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft
- Default value: 1
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**

68
windows/client-management/mdm/policy-csp-fileexplorer.md
View File

@ -46,8 +46,13 @@ manager: aaroncz
<dd>
<a href="#fileexplorer-setallowedstoragelocations">FileExplorer/SetAllowedStorageLocations</a>
</dd>
<dd>
<a href="#fileexplorer-disablegraphrecentitems">FileExplorer/DisableGraphRecentItems</a>
</dd>
</dl>
<hr/>
<!--Policy-->
@ -276,10 +281,10 @@ This policy configures the folders that the user can enumerate and access in the
The following list shows the supported values:
- 0: All folders
- 15:Desktop, Documents, Pictures, and Downloads
- 31:Desktop, Documents, Pictures, Downloads, and Network
- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads
- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network
- 15: Desktop, Documents, Pictures, and Downloads
- 31: Desktop, Documents, Pictures, Downloads, and Network
- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads
- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network
<!--/SupportedValues-->
@ -331,7 +336,7 @@ This policy configures the folders that the user can enumerate and access in the
<!--SupportedValues-->
The following list shows the supported values:
- 0: all storage locations
- 0: All storage locations
- 1: Removable Drives
- 2: Sync roots
- 3: Removable Drives, Sync roots, local drive
@ -350,6 +355,59 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="fileexplorer-disablegraphrecentitems"></a>**FileExplorer/DisableGraphRecentItems**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: Files from Office.com will display in the Home node
- 1: No files from Office.com will be retrieved or displayed
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off files from Office.com in Quick access view*
- GP name: *DisableGraphRecentItems*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

53
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -20,6 +20,9 @@ manager: aaroncz
## HumanPresence policies
<dl>
<dd>
<a href="#humanpresence-forceinstantdim">HumanPresence/ForceInstantDim</a>
</dd>
<dd>
<a href="#humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
</dd>
@ -33,6 +36,56 @@ manager: aaroncz
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantdim"></a>**HumanPresence/ForceInstantDim**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This feature dims the screen based on user attention. This is a power saving feature that prolongs battery charge.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Force Instant Dim*
- GP name: *ForceInstantDim*
- GP path: *Windows Components/Human Presence*
- GP ADMX file name: *Sensors.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
- Defaults to 0.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantlock"></a>**HumanPresence/ForceInstantLock**

227
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -32,6 +32,18 @@ manager: aaroncz
<dd>
<a href="#kerberos-pkinithashalgorithmconfiguration">Kerberos/PKInitHashAlgorithmConfiguration</a>
</dd>
<dd>
<a href="#kerberos-pkinithashalgorithmsha1">Kerberos/PKInitHashAlgorithmSHA1</a>
</dd>
<dd>
<a href="#kerberos-pkinithashalgorithmsha256">Kerberos/PKInitHashAlgorithmSHA256</a>
</dd>
<dd>
<a href="#kerberos-pkinithashalgorithmsha384">Kerberos/PKInitHashAlgorithmSHA384</a>
</dd>
<dd>
<a href="#kerberos-pkinithashalgorithmsha512">Kerberos/PKInitHashAlgorithmSHA512</a>
</dd>
<dd>
<a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
</dd>
@ -231,22 +243,20 @@ ADMX Info:
This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
If you enable this policy, you'll be able to configure one of four states for each algorithm:
* **Default**: This state sets the algorithm to the recommended state.
* **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
* **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies.
If you disable or don't configure this policy, each algorithm will assume the **Default** state.
* 0 - **Disabled**
* 1 - **Enabled**
More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Introducing agility to PKINIT in Kerberos protocol*
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -256,6 +266,209 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="kerberos-pkinithashalgorithmsha1"></a>**Kerberos/PKInitHashAlgorithmSHA1**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
* 1 - **Default**: This state sets the algorithm to the recommended state.
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
If you don't configure this policy, the SHA1 algorithm will assume the **Default** state.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-pkinithashalgorithmsha256"></a>**Kerberos/PKInitHashAlgorithmSHA256**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
* 1 - **Default**: This state sets the algorithm to the recommended state.
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
If you don't configure this policy, the SHA256 algorithm will assume the **Default** state.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-pkinithashalgorithmsha384"></a>**Kerberos/PKInitHashAlgorithmSHA384**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
* 1 - **Default**: This state sets the algorithm to the recommended state.
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
If you don't configure this policy, the SHA384 algorithm will assume the **Default** state.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-pkinithashalgorithmsha512"></a>**Kerberos/PKInitHashAlgorithmSHA512**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
* 1 - **Default**: This state sets the algorithm to the recommended state.
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
If you don't configure this policy, the SHA512 algorithm will assume the **Default** state.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**

131
windows/client-management/mdm/policy-csp-lsa.md Normal file
View File

@ -0,0 +1,131 @@
---
title: Policy CSP - LocalSecurityAuthority
description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS).
ms.author: vinpa
author: vinaypamnani-msft
ms.reviewer:
manager: aaroncz
ms.topic: reference
ms.prod: windows-client
ms.technology: itpro-manage
ms.localizationpriority: medium
ms.date: 08/26/2022
---
# Policy CSP - LocalSecurity Authority
<hr/>
<!--Policies-->
## LocalSecurityAuthority policies
<dl>
<dd>
<a href="#localsecurityauthority-allowcustomsspsaps">LocalSecurityAuthority/AllowCustomSSPsAPs</a>
</dd>
<dd>
<a href="#localsecurityauthority-configurelsaprotectedprocess">LocalSecurityAuthority/ConfigureLsaProtectedProcess</a>
</dd>
</dl>
> [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="localsecurityauthority-allowcustomsspsaps"></a>**LocalSecurityAuthority/AllowCustomSSPsAPs**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).
If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs.
If you disable this policy setting, LSASS will block custom SSPs and APs from loading.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS*
- GP name: *AllowCustomSSPsAPs*
- GP path: *System/Local Security Authority*
- GP ADMX file name: *LocalSecurityAuthority.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localsecurityauthority-configurelsaprotectedprocess"></a>**Kerberos/ConfigureLsaProtectedProcess**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.
If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process.
If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.
If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure LSASS to run as a protected process*
- GP name: *ConfigureLsaProtectedProcess*
- GP path: *System/Local Security Authority*
- GP ADMX file name: *LocalSecurityAuthority.admx*
<!--/ADMXBacked-->

704
windows/client-management/mdm/policy-csp-printers.md
View File

@ -27,12 +27,36 @@ manager: aaroncz
<dd>
<a href="#printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
</dd>
<dd>
<a href="#printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
</dd>
<dd>
<a href="#printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
</dd>
<dd>
<a href="#printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
</dd>
<dd>
<a href="#printers-configureredirectionguardpolicy">Printers/ConfigureRedirectionGuardPolicy</a>
</dd>
<dd>
<a href="#printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
</dd>
<dd>
<a href="#printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
</dd>
<dd>
<a href="#printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
</dd>
<dd>
<a href="#printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
</dd>
<dd>
<a href="#printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
</dd>
<dd>
<a href="#printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
</dd>
<dd>
<a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
</dd>
@ -42,6 +66,9 @@ manager: aaroncz
<dd>
<a href="#printers-publishprinters">Printers/PublishPrinters</a>
</dd>
<dd>
<a href="#printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
</dd>
</dl>
> [!TIP]
@ -57,38 +84,14 @@ manager: aaroncz
<a href="" id="printers-approvedusbprintdevices"></a>**Printers/ApprovedUsbPrintDevices**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -109,7 +112,6 @@ These requirements include restricting printing to USB connected printers that m
This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled.
The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
Parent deliverable: 26209274 - Device Control: Printer
<!--/Description-->
<!--ADMXBacked-->
@ -129,38 +131,14 @@ ADMX Info:
<a href="" id="printers-approvedusbprintdevicesuser"></a>**Printers/ApprovedUsbPrintDevicesUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -194,42 +172,423 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="printers-configurecopyfilespolicy"></a>**Printers/ConfigureCopyFilesPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to *SyncCopyFilestoColorFolderOnly* as the value and process the CopyFiles entries as appropriate.
If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
The following are the supported values:
Type: DWORD. Defaults to 1.
- 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections.
- 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value.
- 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Manage processing of Queue-specific files*
- GP name: *ConfigureCopyFilesPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configuredrivervalidationlevel"></a>**Printers/ConfigureDriverValidationLevel**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to *DriverValidationLevel_Legacy* as the value and process the print driver digital signatures as appropriate.
If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
The following are the supported values:
Type: DWORD. Defaults to 4.
- 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer.
- 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer.
- 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL).
- 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store.
- 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Manage Print Driver signature validation*
- GP name: *ConfigureDriverValidationLevel*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configureipppagecountspolicy"></a>**Printers/ConfigureIppPageCountsPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary.
If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs.
The following are the supported values:
AlwaysSendIppPageCounts: DWORD. Defaults to 0.
- 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**.
- 1 (Enabled) - Job accounting information will always be sent for IPP print jobs.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Always send job page count information for IPP printers*
- GP name: *ConfigureIppPageCountsPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configureredirectionguardpolicy"></a>**Printers/ConfigureRedirectionGuardPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used.
If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
The following are the supported values:
Type: DWORD, defaults to 1.
- 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process.
- 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used.
- 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Redirection Guard*
- GP name: *ConfigureRedirectionGuardPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configurerpcconnectionpolicy"></a>**Printers/ConfigureRpcConnectionPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack.
There are 2 values which can be configured:
- RpcUseNamedPipeProtocol DWORD
- 0: RpcOverTcp (default)
- 1: RpcOverNamedPipes
- RpcAuthentication DWORD
- 0: RpcConnectionAuthenticationDefault (default)
- 1: RpcConnectionAuthenticationEnabled
- 2: RpcConnectionAuthenticationDisabled
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines.
If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly.
The following are the supported values:
- Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines.
- Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure RPC connection settings*
- GP name: *ConfigureRpcConnectionPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configurerpclistenerpolicy"></a>**Printers/ConfigureRpcListenerPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack.
There are 2 values which can be configured:
- RpcProtocols DWORD
- 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes
- 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default)
- 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP
- ForceKerberosForRpc DWORD
- 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support
- 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*.
If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
The following are the supported values:
- Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol.
- Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure RPC listener settings*
- GP name: *ConfigureRpcListenerPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configurerpctcpport"></a>**Printers/ConfigureRpcTcpPort**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage a new DWORD Value added under the the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack.
- RpcTcpPort DWORD
- 0: Use dynamic TCP ports for RPC over TCP (default).
- 1-65535: Use the given port for RPC over TCP.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*.
If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
The following are the supported values:
- Not configured or Disabled - The print stack uses dynamic TCP ports for RPC over TCP.
- Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure RPC over TCP port*
- GP name: *ConfigureRpcTcpPort*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-enabledevicecontrol"></a>**Printers/EnableDeviceControl**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -274,38 +633,14 @@ ADMX Info:
<a href="" id="printers-enabledevicecontroluser"></a>**Printers/EnableDeviceControlUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -345,6 +680,62 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="printers-managedriverexclusionlist"></a>**Printers/ManageDriverExclusionList**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list.
If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value.
The following are the supported values:
Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList`
Type: REG_SZ
Value Name: Hash of excluded file
Value Data: Name of excluded file
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Manage Print Driver exclusion list*
- GP name: *ManageDriverExclusionList*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**
@ -548,6 +939,61 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-restrictdriverinstallationtoadministrators"></a>**Printers/RestrictDriverInstallationToAdministrators**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users.
This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup.
The default value of the policy will be Unconfigured.
If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer.
If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer.
The following are the supported values:
- Not configured or Enabled - Only administrators can install print drivers on the computer.
- Disabled - Standard users are allowed to install print drivers on the computer.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Restrict installation of print drivers to Administrators*
- GP name: *RestrictDriverInstallationToAdministrators*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--/Policies-->
## Related topics

56
windows/client-management/mdm/policy-csp-search.md
View File

@ -57,6 +57,9 @@ manager: aaroncz
<dd>
<a href="#search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
</dd>
<dd>
<a href="#search-disablesearch">Search/DisableSearch</a>
</dd>
<dd>
<a href="#search-donotusewebresults">Search/DoNotUseWebResults</a>
</dd>
@ -639,6 +642,57 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="search-disablesearch"></a>**Search/DisableSearch**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Fully disable Search UI*
- GP name: *DisableSearch*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Do not disable search.
- 1 Disable search.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="search-donotusewebresults"></a>**Search/DoNotUseWebResults**
@ -774,7 +828,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index..
If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index.
<!--/Description-->
<!--ADMXMapped-->

274
windows/client-management/mdm/policy-csp-start.md
View File

@ -56,6 +56,12 @@ manager: aaroncz
<dd>
<a href="#start-disablecontextmenus">Start/DisableContextMenus</a>
</dd>
<dd>
<a href="#start-disablecontrolcenter">Start/DisableControlCenter</a>
</dd>
<dd>
<a href="#start-disableeditingquicksettings">Start/DisableEditingQuickSettings</a>
</dd>
<dd>
<a href="#start-forcestartsize">Start/ForceStartSize</a>
</dd>
@ -86,6 +92,9 @@ manager: aaroncz
<dd>
<a href="#start-hiderecentlyaddedapps">Start/HideRecentlyAddedApps</a>
</dd>
<dd>
<a href="#start-hiderecommendedsection">Start/HideRecommendedSection</a>
</dd>
<dd>
<a href="#start-hiderestart">Start/HideRestart</a>
</dd>
@ -101,6 +110,9 @@ manager: aaroncz
<dd>
<a href="#start-hideswitchaccount">Start/HideSwitchAccount</a>
</dd>
<dd>
<a href="#start-hidetaskviewbutton">Start/HideTaskViewButton</a>
</dd>
<dd>
<a href="#start-hideusertile">Start/HideUserTile</a>
</dd>
@ -113,6 +125,9 @@ manager: aaroncz
<dd>
<a href="#start-showorhidemostusedapps">Start/ShowOrHideMostUsedApps</a>
</dd>
<dd>
<a href="#start-simplifyquicksettings">Start/SimplifyQuickSettings</a>
</dd>
<dd>
<a href="#start-startlayout">Start/StartLayout</a>
</dd>
@ -665,6 +680,100 @@ The following list shows the supported values:
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-disablecontrolcenter"></a>**Start/DisableControlCenter**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume.
If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled.
>[!Note]
> A reboot is required for this policy setting to take effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Remove control center*
- GP name: *DisableControlCenter*
- GP path: *Start Menu and Taskbar*
- GP ADMX file name: *Taskbar.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- Integer 0 - Disabled/Not configured.
- Integer 1 - Enabled.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-disableeditingquicksettings"></a>**Start/DisableEditingQuickSettings**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will allow admins to indicate whether Quick Actions can be edited by the user.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0: Allow editing Quick Actions (default)
- 1: Disable editing Quick Actions
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
@ -1208,6 +1317,47 @@ To validate on Desktop, do the following steps:
<hr/>
<!--Policy-->
<a href="" id="start-hiderecommendedsection"></a>**Start/HideRecommendedSection**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows you to hide the Start Menu's Recommended section when enabled.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0 (default): Do not hide the Start menu's Recommended section.
- 1: Hide the Start menu's Recommended section.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-hiderestart"></a>**Start/HideRestart**
@ -1453,6 +1603,48 @@ To validate on Desktop, do the following steps:
<hr/>
<!--Policy-->
<a href="" id="start-hidetaskviewbutton"></a>**Start/HideTaskViewButton**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows you to hide the Task View button from the Taskbar and its corresponding option in the Settings app.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0 (default): Do not hide the Taskbar's Task View button.
- 1: Hide the Taskbar's Task View button.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-hideusertile"></a>**Start/HideUserTile**
@ -1622,38 +1814,15 @@ To validate on Desktop, do the following steps:
<a href="" id="start-showorhidemostusedapps"></a>**Start/ShowOrHideMostUsedApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -1686,6 +1855,47 @@ On clean install, the user setting defaults to "hide".
<hr/>
<!--Policy-->
<a href="" id="start-simplifyquicksettings"></a>**Start/SimplifyQuickSettings**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will allow admins to indicate whether the default or simplified Quick Actions layout should be loaded.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0: load regular Quick Actions layout.
- 1: load simplified Quick Actions layout.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-startlayout"></a>**Start/StartLayout**

233
windows/client-management/mdm/policy-csp-webthreatdefense.md Normal file
View File

@ -0,0 +1,233 @@
---
title: Policy CSP - WebThreatDefense
description: Learn about the Policy CSP - WebThreatDefense.
ms.author: v-aljupudi
ms.topic: article
ms.prod: w10
ms.technology: windows
author: alekyaj
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
---
# Policy CSP - WebThreatDefense
<hr/>
<!--Policies-->
## WebThreatDefense policies
<dl>
<dd>
<a href="#webthreatdefense-enableservice">WebThreatDefense/EnableService</a>
</dd>
<dd>
<a href="#webthreatdefense-notifymalicious">WebThreatDefense/NotifyMalicious</a>
</dd>
<dd>
<a href="#webthreatdefense-notifypasswordreuse">WebThreatDefense/NotifyPasswordReuse</a>
</dd>
<dd>
<a href="#webthreatdefense-notifyunsafeapp">WebThreatDefense/NotifyUnsafeApp</a>
</dd>
</dl>
>[!NOTE]
>In Microsoft Intune, this CSP is under the “Enhanced Phishing Protection” category.
<!--Policy-->
<a href="" id="webthreatdefense-enableservice"></a>**WebThreatDefense/EnableService**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.
If you enable this policy setting or dont configure this setting, Enhanced Phishing Protection is enabled in audit mode, and your users are unable to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Configure Web Threat Defense*
- GP name: *EnableWebThreatDefenseService*
- GP path: *Windows Security\App & browser control\Reputation-based protection\Phishing protections*
- GP ADMX file name: *WebThreatDefense.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0:Turns off Enhanced Phishing Protection.
- 1:Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="webthreatdefense-notifymalicious"></a>**WebThreatDefense/NotifyMalicious**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above, and encourages them to change their password.
If you disable or dont configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0:Turns off Enhanced Phishing Protection notifications when users type their work or school password into one of the following malicious scenarios: a reported phishing site, a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
- 1:Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="webthreatdefense-notifypasswordreuse"></a>**WebThreatDefense/NotifyPasswordReuse**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
If you disable or dont configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0:Turns off Enhanced Phishing Protection notifications when users reuse their work or school password.
- 1:Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="webthreatdefense-notifyunsafeapp"></a>**WebThreatDefense/NotifyUnsafeApp**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in text editor apps.
If you disable or dont configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0:Turns off Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
- 1:Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

49
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -35,6 +35,9 @@ manager: aaroncz
<dd>
<a href="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
</dd>
<dd>
<a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
@ -362,6 +365,52 @@ Supported values:
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enablemprnotifications"></a>**WindowsLogon/EnableMPRNotifications**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows winlogon to send MPR notifications in the system if a credential manager is configured.
If you disable (0), MPR notifications will not be sent by winlogon.
If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon.
<!--/Description-->
<!--SupportedValues-->
Supported values:
- 0 - disabled
- 1 (default)- enabled
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**

8
windows/client-management/mdm/sharedpc-csp.md
View File

@ -31,6 +31,7 @@ The following example shows the SharedPC configuration service provider manageme
./Vendor/MSFT
SharedPC
----EnableSharedPCMode
----EnableSharedPCModeWithOneDriveSync
----SetEduPolicies
----SetPowerPolicies
----MaintenanceStartTime
@ -61,6 +62,13 @@ Setting this value to True triggers the action to configure a device to Shared P
The default value is Not Configured and SharedPC mode is not enabled.
<a href="" id="enablesharedpcmodewithonedrivesync"></a>**EnableSharedPCModeWithOneDriveSync**
Setting this node to true triggers the action to configure a device to Shared PC mode with OneDrive sync turned on.
The supported operations are Add, Get, Replace, and Delete.
The default value is false.
<a href="" id="setedupolicies"></a>**SetEduPolicies**
A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment.

26
windows/client-management/mdm/sharedpc-ddf-file.md
View File

@ -70,6 +70,32 @@ The XML below is the DDF for Windows 10, version 1703.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnableSharedPCModeWithOneDriveSync</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Setting this node to “1” triggers the action to configure a device to Shared PC mode with OneDrive sync turned on</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Enable Shared PC mode with OneDrive sync</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SetEduPolicies</NodeName>
<DFProperties>

16
windows/client-management/mdm/toc.yml
View File

@ -299,6 +299,11 @@ items:
items:
- name: HealthAttestation DDF
href: healthattestation-ddf.md
- name: Local Administrator Password Solution CSP
href: laps-csp.md
items:
- name: Local Administrator Password Solution DDF
href: laps-ddf-file.md
- name: MultiSIM CSP
href: multisim-csp.md
items:
@ -333,6 +338,11 @@ items:
items:
- name: PassportForWork DDF file
href: passportforwork-ddf.md
- name: PersonalDataEncryption CSP
href: personaldataencryption-csp.md
items:
- name: PersonalDataEncryption DDF file
href: personaldataencryption-ddf-file.md
- name: Personalization CSP
href: personalization-csp.md
items:
@ -685,6 +695,8 @@ items:
href: policy-csp-deliveryoptimization.md
- name: Desktop
href: policy-csp-desktop.md
- name: DesktopAppInstaller
href: policy-csp-desktopappinstaller.md
- name: DeviceGuard
href: policy-csp-deviceguard.md
- name: DeviceHealthMonitoring
@ -733,6 +745,8 @@ items:
href: policy-csp-licensing.md
- name: LocalPoliciesSecurityOptions
href: policy-csp-localpoliciessecurityoptions.md
- name: LocalSecurityAuthority
href: policy-csp-lsa.md
- name: LocalUsersAndGroups
href: policy-csp-localusersandgroups.md
- name: LockDown
@ -813,6 +827,8 @@ items:
href: policy-csp-userrights.md
- name: VirtualizationBasedTechnology
href: policy-csp-virtualizationbasedtechnology.md
- name: WebThreatDefense
href: policy-csp-webthreatdefense.md
- name: Wifi
href: policy-csp-wifi.md
- name: WindowsAutoPilot

2
windows/configuration/TOC.yml
View File

@ -43,7 +43,7 @@
- name: Accessibility settings
items:
- name: Accessibility information for IT Pros
href: windows-10-accessibility-for-ITPros.md
href: windows-accessibility-for-ITPros.md
- name: Configure access to Microsoft Store
href: stop-employees-from-using-microsoft-store.md
- name: Configure Windows Spotlight on the lock screen

2
windows/configuration/customize-taskbar-windows-11.md
View File

@ -157,7 +157,7 @@ Use the following steps to add your XML file to a group policy, and apply the po
4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
For more information on using group policies, see [Implement Group Policy Objects](/learn/modules/implement-group-policy-objects/).
For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/).
### Create a Microsoft Endpoint Manager policy to deploy your XML file

8
windows/configuration/kiosk-xml.md
View File

@ -59,7 +59,7 @@ ms.topic: article
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
<!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -192,7 +192,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
<!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -313,7 +313,7 @@ This sample demonstrates that only a global profile is used, with no active user
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
<!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -365,7 +365,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
<!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />

2
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -458,7 +458,7 @@ Usage is demonstrated below, by using the new XML namespace and specifying `Glob
<!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
"%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
"%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only
see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
-->
<!-- for inbox desktop applications, a link file might already exist and can be used directly -->
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />

2
windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
View File

@ -179,6 +179,6 @@ Here is a list of CSPs supported on Windows 10 Enterprise:
- [Update CSP](/windows/client-management/mdm/update-csp)
- [VPN CSP](/windows/client-management/mdm/vpn-csp)
- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
- [Wi-Fi CSP](/documentation/)
- [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp)
- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)

8
windows/configuration/supported-csp-start-menu-layout-windows.md
View File

@ -14,6 +14,7 @@ ms.localizationpriority: medium
**Applies to**:
- Windows 11
- Windows 11, version 22H2
The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices.
@ -49,6 +50,10 @@ For information on customizing the Start menu layout using policy, see [Customiz
The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu.
**The following policies are supported starting with Windows 11, version 22H2:**
- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
- [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus)
## Existing CSP policies that Windows 11 doesn't support
- [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)
@ -57,6 +62,9 @@ For information on customizing the Start menu layout using policy, see [Customiz
- [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps)
- Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu`
> [!NOTE]
> The following two policies are supported starting in Windows 11, version 22H2
- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
- Group policy:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu`

91
windows/configuration/windows-10-accessibility-for-ITPros.md
View File

@ -1,91 +0,0 @@
---
title: Windows 10 accessibility information for IT Pros (Windows 10)
description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them
keywords: accessibility, settings, vision, hearing, physical, cognition, assistive
ms.prod: w10
ms.author: lizlong
author: lizgt2000
ms.localizationpriority: medium
ms.date: 01/12/2018
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
# Accessibility information for IT Professionals
Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
This topic helps IT administrators learn about built-in accessibility features, and includes a few recommendations for how to support people in your organization who use these features.
## General recommendations
- **Be aware of Ease of Access settings** Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows 10.
- **Do not block settings** Avoid using Group Policy or MDM settings that override Ease of Access settings.
- **Encourage choice** Allow people in your organization to customize their computers based on their needs. That customization might mean installing an add-on for their browser, or a non-Microsoft assistive technology.
## Vision
| Accessibility feature | Description |
|---------------------------|------------|
| [Use Narrator to use devices without a screen](https://support.microsoft.com/help/22798/windows-10-narrator-get-started) | Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices.|
| [Create accessible apps](https://developer.microsoft.com/windows/accessible-apps) | You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.|
| Use keyboard shortcuts for [Windows](https://support.microsoft.com/help/12445/windows-keyboard-shortcuts), [Narrator](https://support.microsoft.com/help/22806), and [Magnifier](https://support.microsoft.com/help/13810) | Get the most out of Windows with shortcuts for apps and desktops.|
| Get closer with [Magnifier](https://support.microsoft.com/help/11542/windows-use-magnifier) | Magnifier enlarges all or part of your screen and offers various configuration settings.|
| [Cursor and pointer adjustments](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.|
| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.|
| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
| [Customize the size](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) of screen items | You can adjust the size of text, icons, and other screen items to make them easier to see.|
| [Improve contrast](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Many high-contrast themes are available to suit your needs.|
| [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.|
| [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.|
| [Read in Braille](https://support.microsoft.com/help/4004263) | Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.|
## Hearing
| Accessibility feature | Description |
|---------------------------|------------|
| [Transcribe with Translator](https://www.skype.com/en/features/skype-translator) | Translator can transcribe voice to text so you wont miss whats being said. |
| [Use Skype for sign language](https://www.skype.com/en/) | Skype is available on various platforms and devices, so you dont have to worry about whether your co-workers, friends and family can communicate with you.|
| [Get visual notifications for sounds](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | You can replace audible alerts with visual alerts.|
| [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear)|If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.|
| [Read spoken words with closed captioning](https://support.microsoft.com/help/21055/windows-10-closed-caption-settings) | You can customize things like color, size, and background transparency to suit your needs and tastes.|
| [Switch to mono audio](https://support.microsoft.com/help/27933/) | Sending all sounds to both left and right channels is helpful for those people with partial hearing loss or deafness in one ear.|
## Physical
| Accessibility feature | Description|
|---------------------------|------------|
| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.|
| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).|
| [Live Tiles](https://support.microsoft.com/help/17176/windows-10-organize-your-apps)| Because Live Tiles display constantly updated information for many apps, you don't have to bother actually opening them. You can arrange, resize, and move tiles as needed.|
| [Keyboard assistance features](https://support.microsoft.com/help/27936)| You can personalize your keyboard to ignore repeated keys and do other helpful things if you have limited control of your hands.|
| [Mouse Keys](https://support.microsoft.com/help/27936)|If a mouse is difficult to use, you can control the pointer by using your numeric keypad.|
## Cognition
| Accessibility feature | Description|
|---------------------------|------------|
| [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.|
| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).|
| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
| [Use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721) | Fluent Sitka Small and Fluent Calibri are fonts that address "visual crowding" by adding character and enhance word and line spacing. |
| [Edge Reading View](https://support.microsoft.com/help/17204/windows-10-take-your-reading-with-you) | Clears distracting content from web pages so you can stay focused on what you really want to read. |
| [Edge includes an e-book reader](https://support.microsoft.com/help/4014945) | The Microsoft Edge e-book reader includes options to increase text spacing and read text aloud to help make it easier for everyone to read and enjoy text, including people with learning differences like dyslexia and English language learners. |
## Assistive technology devices built into Windows 10
| Assistive technology | How it helps |
|---------------------------|------------|
| [Hear text read aloud with Narrator](https://support.microsoft.com/help/17173) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.|
| [Use Speech Recognition]( https://support.microsoft.com/help/17208 ) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.|
| [Save time with keyboard shortcuts]( https://support.microsoft.com/help/17189) | Keyboard shortcuts for apps and desktops.|
## Other resources
[Windows accessibility](https://www.microsoft.com/Accessibility/windows)
[Designing accessible software]( https://msdn.microsoft.com/windows/uwp/accessibility/designing-inclusive-software)
[Inclusive Design](https://www.microsoft.com/design/inclusive)
[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)

117
windows/configuration/windows-accessibility-for-ITPros.md Normal file
View File

@ -0,0 +1,117 @@
---
title: Windows accessibility information for IT Pros
description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them.
ms.prod: windows-client
ms.technology: itpro-configure
ms.author: lizlong
author: lizgt2000
ms.reviewer:
manager: aaroncz
ms.localizationpriority: medium
ms.date: 09/20/2022
ms.topic: reference
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Accessibility information for IT professionals
Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features.
Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).<!-- 6294246 -->
## General recommendations
- **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows.
- **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings.
- **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology.
## Vision
- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Starting in Windows 11, version 22H2, Narrator includes more natural voices.
- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
- Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops.
- [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec)
- [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a)
- [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd)
- Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings.
- [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d).
- Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.
- Adjust the size of text, icons, and other screen items to make them easier to see.
- Many high-contrast themes are available to suit your needs.
- [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do.
- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
- [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
## Hearing
- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said.
- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you.
- [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1).
- Replace audible alerts with visual alerts.
- If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
- Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear.
- [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes.
- Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions.
## Physical
- [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do.
- [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion.
- [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe).
- If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys.
- If a mouse is difficult to use, you can control the pointer by using your numeric keypad.
## Cognition
- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing.
- [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read.
## Assistive technology devices built into Windows
- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
## Other resources
[Windows accessibility](https://www.microsoft.com/Accessibility/windows)
[Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software)
[Inclusive design](https://www.microsoft.com/design/inclusive)
[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)

57
windows/configure/docfx.json
View File

@ -1,57 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-configure"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-configure",
"markdownEngineName": "markdig"
}
}

56
windows/deploy/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-deploy",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-deploy",
"markdownEngineName": "markdig"
}
}

6
windows/deployment/index.yml
View File

@ -100,8 +100,8 @@ landingContent:
- linkListType: learn
links:
- text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps
url: /learn/modules/windows-plan
url: /training/modules/windows-plan
- text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps
url: /learn/modules/windows-prepare/
url: /training/modules/windows-prepare/
- text: Deploy updates for Windows 10 and Microsoft 365 Apps
url: /learn/modules/windows-deploy
url: /training/modules/windows-deploy

65
windows/deployment/update/check-release-health.md
View File

@ -1,11 +1,14 @@
---
title: "How to check Windows release health"
title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
ms.date: 08/16/2022
ms.author: v-nishmi
author: DocsPreview
manager: jren
ms.topic: article
ms.reviewer: mstewart
ms.topic: how-to
ms.prod: w10
localization_priority: Normal
localization_priority: medium
ms.custom:
- Adm_O365
- 'O365P_ServiceHealthModern'
@ -21,27 +24,26 @@ search.appverid:
- MOE150
- BCS160
- IWA160
description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption."
---
# How to check Windows release health
The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues so you can troubleshoot issues your users may be experiencing and/or to determine when, and at what scale, to deploy an update in your organization.
The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization.
If you are unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from logging into your tenant.
If you're unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from signing into your tenant.
To be informed about the latest updates and releases, follow us on Twitter [@WindowsUpdate](https://twitter.com/windowsupdate).
To be informed about the latest updates and releases, follow [@WindowsUpdate](https://twitter.com/windowsupdate) on Twitter.
## How to review Windows release health information
1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), and sign in with an administrator account.
1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com), and sign in with an administrator account.
> [!NOTE]
> By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true#roles-available-in-the-microsoft-365-admin-center).
> By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles).
2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
3. On the **Windows release health** page, you will have access to known issue information for all supported versions of the Windows operating system.
3. On the **Windows release health** page, you'll have access to known issue information for all supported versions of the Windows operating system.
The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
@ -63,7 +65,7 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
- **Originating KB** - The KB number where the issue was first identified.
- **Originating build** - The build number for the KB.
Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. Here is an example:
Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. For example:
![A screenshot showing issue details.](images/WRH-known-issue-detail.png)
@ -71,16 +73,15 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows:
| Status | Definition |
|:-----|:-----|
|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there is no confirmation that users are affected. |
|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issues scope of impact, mitigation steps, and root cause. |
|**Confirmed** | After close review, Microsoft teams have determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there's no confirmation that users are affected. |
|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue's scope, mitigation steps, and root cause. |
|**Confirmed** | After close review, Microsoft has determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
|**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. |
|**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. |
|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once its deployed in the customers environment. |
|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once its deployed in the customers environment. |
|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it's deployed in the customer's environment. |
|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it's deployed in the customer's environment. |
## Known issue history
@ -100,25 +101,25 @@ A list of all status updates posted in the selected timeframe will be displayed,
Windows release health is a Microsoft informational service created to keep licensed Windows customers aware of identified known issues and important announcements.
- **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?**
Windows release health does not monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
Windows release health doesn't monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
- **Where do I find Windows release health?**
After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, click **Health** and youll see **Windows release health**.
After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**.
- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?**
No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, youll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
No. While the content is similar, you may see more issues and technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
- **How often will content be updated?**
In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
To ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have more details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
- **Can I share this content publicly or with other Windows customers?**
Windows release health is provided to you as a licensed Windows customer and is not to be shared publicly.
Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly.
- **Is the content redundant? How is the content organized in the different tabs?**
Windows release health provides three tabs. The landing **All versions** tab allows you to click into a specific version of Windows. The Known issues tab shows the list of issues that are active or resolved in the past 30 days. The History tab shows a six-month history of known issues that have been resolved.
Windows release health provides three tabs. The landing **All versions** tab allows you to select a specific version of Windows. The **Known issues** tab shows the list of issues that are active or resolved in the past 30 days. The **History** tab shows a six-month history of known issues that have been resolved.
- **How do I find information for the versions of Windows Im managing?**
On the **All versions** tab, you can select any Windows version. This will take you to the Known issues tab filtered for the version you selected. The known issues tab provides the list of active known issues and those resolved in the last 30 days. This selection persists throughout your session until changed. From the History tab you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
- **How do I find information for the versions of Windows I'm managing?**
On the **All versions** tab, you can select any Windows version. This action takes you to the **Known issues** tab filtered for the version you selected. The **Known issues** tab provides the list of active known issues and the issues resolved in the last 30 days. This selection persists throughout your session until changed. From the **History** tab, you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
### Microsoft 365 Admin Center functions
@ -126,13 +127,13 @@ A list of all status updates posted in the selected timeframe will be displayed,
You can search Microsoft 365 admin center pages using keywords. For Windows release health, go to the desired product page and search using KB numbers, build numbers, or keywords.
- **How do I add other Windows admins?**
Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of “Service Support admin.”
Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of **Service Support admin**.
- **Why cant I click to the KB article from the Known issues or History tabs?**
Within the issue description, youll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issues Details pane.
- **Why can't I click to the KB article from the Known issues or History tabs?**
Within the issue description, you'll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue's Details pane.
- **Microsoft 365 admin center has a mobile app but I dont see Windows release health under the Health menu. Is this an open issue?**
We are working to build the Windows release health experience on mobile devices in a future release.
- **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?**
We're working to build the Windows release health experience on mobile devices in a future release.
### Help and support
@ -140,7 +141,7 @@ A list of all status updates posted in the selected timeframe will be displayed,
Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support.
- **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**
The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the Known issue youre seeking help on, click the Details pane and youll find the ID under the issue title. It will be the letters WI followed by a number, similar to “WI123456”.
The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. It will be the letters `WI` followed by a number, similar to `WI123456`.
- **How can I learn more about expanding my use of Microsoft 365 admin center?**
To learn more, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).
For more information, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).

4
windows/deployment/update/deploy-updates-configmgr.md
View File

@ -2,9 +2,9 @@
title: Deploy Windows client updates with Configuration Manager
description: Deploy Windows client updates with Configuration Manager
ms.prod: w10
author: aczechowski
author: mestew
ms.localizationpriority: medium
ms.author: aaroncz
ms.author: mstewart
ms.reviewer:
manager: dougeby
ms.topic: article

4
windows/deployment/update/deployment-service-overview.md
View File

@ -88,8 +88,8 @@ The Microsoft Graph SDK includes a PowerShell extension that you can use to scri
### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
- Learning Path: [Microsoft Graph Fundamentals](/learn/paths/m365-msgraph-fundamentals/)
- Learning Path: [Build apps with Microsoft Graph](/learn/paths/m365-msgraph-associate/)
- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.

29
windows/deployment/update/waas-restart.md
View File

@ -10,6 +10,7 @@ ms.topic: article
ms.custom:
- seo-marvel-apr2020
ms.collection: highpri
date: 09/22/2022
---
# Manage device restarts after updates
@ -18,11 +19,11 @@ ms.collection: highpri
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
## Schedule update installation
@ -100,15 +101,27 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
## Limit restart delays
After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
## Control restart notifications
In Windows 10, version 1703, we have added settings to control restart notifications for users.
### Display options for update notifications
Starting in Windows 10 version 1809, you can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed. You can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
**0** (default) - Use the default Windows Update notifications </br>
**1** - Turn off all notifications, excluding restart warnings </br>
**2** - Turn off all notifications, including restart warnings </br>
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel).
Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
### Auto-restart notifications
Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703.
To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
@ -198,10 +211,10 @@ There are three different registry combinations for controlling restart behavior
## Related articles
- [Update Windows 10 in the enterprise](index.md)
- [Update Windows in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
- [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)

40
windows/deployment/update/waas-wu-settings.md
View File

@ -3,12 +3,12 @@ title: Manage additional Windows Update settings
description: In this article, learn about additional settings to control the behavior of Windows Update.
ms.prod: w10
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
manager: dougeby
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.collection: highpri
date: 09/22/2022
---
# Manage additional Windows Update settings
@ -36,6 +36,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
| | [Windows Update notifications display organization name](#bkmk_display-name) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
>[!IMPORTANT]
>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
@ -230,7 +231,7 @@ To do this, follow these steps:
> [!NOTE]
> This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
To use Automatic Updates with a server that is running Windows Software Update Services (WSUS), see the [Deploying Microsoft Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services) guidance.
When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
@ -246,3 +247,32 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
* WUStatusServer (REG_SZ)
This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
## <a name="bkmk_display-name"> </a> Display organization name in Windows Update notifications
<!--6286260-->
When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.
The organization name appears automatically for Windows 11 clients that are associated with Azure AD in any of the following ways:
- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join)
- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register)
- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
- **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations`
- **DWORD value name**: UsoDisableAADJAttribution
- **Value data:** 1
The following PowerShell script is provided as an example to you:
```powershell
$registryPath = "HKLM:\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations"
$Name = "UsoDisableAADJAttribution"
$value = "1"
if (!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
}
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
```

10
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -178,12 +178,14 @@ There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
**0** (default) Use the default Windows Update notifications
**1** Turn off all notifications, excluding restart warnings
**2** Turn off all notifications, including restart warnings
**0** (default) - Use the default Windows Update notifications </br>
**1** - Turn off all notifications, excluding restart warnings </br>
**2** - Turn off all notifications, including restart warnings </br>
Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
> Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
Still more options are available in **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart restart warning notifications schedule for updates**. This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update and to specify the period for auto-restart imminent warning notifications (15-60 minutes is the default). We recommend using the default notifications.

8
windows/deployment/upgrade/setupdiag.md
View File

@ -444,14 +444,14 @@ System Information:
Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
```
### XML log sample
```xml
<?xml version="1.0" encoding="utf-16"?>
<SetupDiag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://docs.microsoft.com/windows/deployment/upgrade/setupdiag">
<SetupDiag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://learn.microsoft.com/windows/deployment/upgrade/setupdiag">
<Version>1.6.0.0</Version>
<ProfileName>FindSPFatalError</ProfileName>
<ProfileGuid>A4028172-1B09-48F8-AD3B-86CDD7D55852</ProfileGuid>
@ -494,7 +494,7 @@ Error: 0x00000057</FailureData>
<FailureData>LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]</FailureData>
<FailureData>LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]</FailureData>
<FailureData>
Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.</FailureData>
Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.</FailureData>
<FailureDetails>Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel</FailureDetails>
</SetupDiag>
```
@ -548,7 +548,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
"LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5\/2\/2019 to structure[
gle=0x00000057
]",
"\u000aRefer to \"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/Debug\/system-error-codes\" for error information."
"\u000aRefer to \"https:\/\/learn.microsoft.com\/windows\/desktop\/Debug\/system-error-codes\" for error information."
],
"FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
"DeviceDriverInfo":null,

61
windows/device-security/docfx.json
View File

@ -1,61 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg",
"**/*.gif"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"ms.date": "04/05/2017",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-device-security",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "win-device-security",
"markdownEngineName": "markdig"
}
}

57
windows/eulas/docfx.json
View File

@ -1,57 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "eula-vsts",
"markdownEngineName": "markdig"
}
}

2
windows/hub/index.yml
View File

@ -105,7 +105,7 @@ conceptualContent:
- url: /windows/configuration/provisioning-packages/provisioning-packages
itemType: how-to-guide
text: Use Provisioning packages to configure new devices
- url: /windows/configuration/windows-10-accessibility-for-itpros
- url: /windows/configuration/windows-accessibility-for-itpros
itemType: overview
text: Accessibility information for IT Pros
- url: /windows/configuration/customize-start-menu-layout-windows-11

57
windows/keep-secure/docfx.json
View File

@ -1,57 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"feedback_system": "None",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.keep-secure",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "keep-secure",
"markdownEngineName": "markdig"
}
}

58
windows/known-issues/docfx.json
View File

@ -1,58 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "known-issues",
"markdownEngineName": "markdig"
}
}

2
windows/manage/TOC.yml
View File

@ -1,2 +0,0 @@
- name: Test
href: test.md

56
windows/manage/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-manage",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-manage",
"markdownEngineName": "markdig"
}
}

19
windows/manage/test.md
View File

@ -1,19 +0,0 @@
---
title: Test
description: Test
ms.prod: w11
ms.mktglfcycl: deploy
ms.sitesec: library
author: dstrome
ms.author: dstrome
ms.reviewer:
manager: dstrome
ms.topic: article
---
# Test
## Deployment planning
This article provides guidance to help you plan for Windows 11 in your organization.

56
windows/plan/docfx.json
View File

@ -1,56 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-plan",
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "windows-plan",
"markdownEngineName": "markdig"
}
}

36
windows/privacy/index.yml
View File

@ -68,50 +68,50 @@ productDirectory:
# # Card
# - title: cardtitle1
# links:
# - url: file1.md OR https://docs.microsoft.com/file1
# - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType
# text: linktext1
# - url: file2.md OR https://docs.microsoft.com/file2
# - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType
# text: linktext2
# - url: file3.md OR https://docs.microsoft.com/file3
# - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType
# text: linktext3
# # footerLink (optional)
# footerLink:
# url: filefooter.md OR https://docs.microsoft.com/filefooter
# url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more
# # Card
# - title: cardtitle2
# links:
# - url: file1.md OR https://docs.microsoft.com/file1
# - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType
# text: linktext1
# - url: file2.md OR https://docs.microsoft.com/file2
# - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType
# text: linktext2
# - url: file3.md OR https://docs.microsoft.com/file3
# - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType
# text: linktext3
# # footerLink (optional)
# footerLink:
# url: filefooter.md OR https://docs.microsoft.com/filefooter
# url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more
# # Card
# - title: cardtitle3
# links:
# - url: file1.md OR https://docs.microsoft.com/file1
# - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType
# text: linktext1
# - url: file2.md OR https://docs.microsoft.com/file2
# - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType
# text: linktext2
# - url: file3.md OR https://docs.microsoft.com/file3
# - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType
# text: linktext3
# # footerLink (optional)
# footerLink:
# url: filefooter.md OR https://docs.microsoft.com/filefooter
# url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more
# # tools section (optional)
@ -122,15 +122,15 @@ productDirectory:
# # Card
# - title: cardtitle1
# # imageSrc should be square in ratio with no whitespace
# imageSrc: ./media/index/image1.svg OR https://docs.microsoft.com/media/logos/image1.svg
# imageSrc: ./media/index/image1.svg OR https://learn.microsoft.com/media/logos/image1.svg
# url: file1.md
# # Card
# - title: cardtitle2
# imageSrc: ./media/index/image2.svg OR https://docs.microsoft.com/media/logos/image2.svg
# imageSrc: ./media/index/image2.svg OR https://learn.microsoft.com/media/logos/image2.svg
# url: file2.md
# # Card
# - title: cardtitle3
# imageSrc: ./media/index/image3.svg OR https://docs.microsoft.com/media/logos/image3.svg
# imageSrc: ./media/index/image3.svg OR https://learn.microsoft.com/media/logos/image3.svg
# url: file3.md
# additionalContent section (optional)
@ -144,15 +144,15 @@ productDirectory:
# # Card
# - title: cardtitle1
# summary: cardsummary1
# url: file1.md OR https://docs.microsoft.com/file1
# url: file1.md OR https://learn.microsoft.com/file1
# # Card
# - title: cardtitle2
# summary: cardsummary2
# url: file1.md OR https://docs.microsoft.com/file2
# url: file1.md OR https://learn.microsoft.com/file2
# # Card
# - title: cardtitle3
# summary: cardsummary3
# url: file1.md OR https://docs.microsoft.com/file3
# url: file1.md OR https://learn.microsoft.com/file3
# # footer (optional)
# footer: "footertext [linktext](/footerfile)"

61
windows/release-information/docfx.json
View File

@ -1,61 +0,0 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",
"audience": "ITPro",
"titleSuffix": "Windows Release Information",
"extendBreadcrumb": true,
"feedback_system": "None",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"fileMetadata": {},
"template": [],
"dest": "release-information",
"markdownEngineName": "markdig"
}
}

19
windows/security/TOC.yml
View File

@ -8,10 +8,16 @@
items:
- name: Overview
href: hardware.md
- name: Microsoft Pluton security processor
items:
- name: Microsoft Pluton overview
href: information-protection/pluton/microsoft-pluton-security-processor.md
- name: Microsoft Pluton as TPM
href: information-protection/pluton/pluton-as-tpm.md
- name: Trusted Platform Module
href: information-protection/tpm/trusted-platform-module-top-node.md
items:
- name: Trusted Platform Module Overview
- name: Trusted Platform Module overview
href: information-protection/tpm/trusted-platform-module-overview.md
- name: TPM fundamentals
href: information-protection/tpm/tpm-fundamentals.md
@ -149,6 +155,14 @@
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
href: information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security
@ -281,6 +295,9 @@
href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- name: Microsoft Defender SmartScreen overview
href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
items:
- name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
- name: Configure S/MIME for Windows
href: identity-protection\configure-s-mime.md
- name: Windows Credential Theft Mitigation Guide Abstract

26
windows/security/encryption-data-protection.md
View File

@ -2,17 +2,17 @@
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
search.appverid: MET150
author: denisebmsft
ms.author: deniseb
manager: dansimp
ms.topic: conceptual
ms.date: 09/08/2021
ms.prod: m365-security
ms.technology: windows-sec
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: overview
ms.date: 09/22/2022
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection:
ms.custom:
ms.reviewer: deepakm, rafals
ms.reviewer: rafals
---
# Encryption and data protection in Windows client
@ -32,8 +32,8 @@ Encrypted hard drives provide:
- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
@ -45,8 +45,14 @@ BitLocker provides encryption for the operating system, fixed data, and removabl
Windows consistently improves data protection by improving existing options and providing new strategies.
## Personal Data Encryption (PDE)
<!-- Max 5963468 OS 32516487 -->
(*Applies to: Windows 11, version 22H2 and later*)
[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
## See also
- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)

20
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -5,7 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
ms.reviewer: zwhittington
manager: aaroncz
ms.collection:
- M365-identity-device-management
@ -22,6 +22,24 @@ appliesto:
- ✅ <b>Windows Server 2022</b>
---
# Manage Windows Defender Credential Guard
## Default Enablement
Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
### Requirements for automatic enablement
Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements:
|Component|Requirement|
|---|---|
|Operating System|Windows 11 Enterprise 22H2|
|Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
> [!NOTE]
> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.

9
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -5,7 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
ms.reviewer: zwhittington
manager: aaroncz
ms.collection:
- M365-identity-device-management
@ -58,8 +58,8 @@ For information about Windows Defender Remote Credential Guard hardware and soft
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
> [!WARNING]
> Enabling Windows Defender Credential Guard on domain controllers is not supported.
> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time.
> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.
> [!NOTE]
> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
@ -103,9 +103,6 @@ The following tables describe baseline protections, plus protections for improve
|Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
> [!IMPORTANT]
> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.

8
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -25,6 +25,8 @@ appliesto:
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
Set-StrictMode -Version Latest
$path = "C:\DGLogs\"
$LogFile = $path + "DeviceGuardCheckLog.txt"
@ -796,7 +798,13 @@ function CheckOSArchitecture
function CheckSecureBootState
{
try {
$_secureBoot = Confirm-SecureBootUEFI
}
catch
{
$_secureBoot = $false
}
Log $_secureBoot
if($_secureBoot)
{

10
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -35,7 +35,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
- Multi-factor Authentication is required during Windows Hello for Business provisioning
- Proper name resolution, both internal and external names
- Active Directory and an adequate number of domain controllers per site to support authentication
- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud trust deployments)
- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud Kerberos trust deployments)
- One or more workstation computers running Windows 10, version 1703 or later
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
@ -44,23 +44,23 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
## Deployment and trust models
Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key trust*, *certificate trust*, and *cloud trust*. On-premises deployment models only support *Key trust* and *certificate trust*.
Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
The trust model determines how you want users to authenticate to the on-premises Active Directory:
- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates.
- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using cloud trust instead of key trust if the clients in your enterprise support it.
- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it.
- The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
> [!Note]
> RDP does not support authentication with Windows Hello for Business key trust or cloud trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust and cloud trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
Following are the various deployment guides and models included in this topic:
- [Hybrid Azure AD Joined Cloud Trust Deployment](hello-hybrid-cloud-trust.md)
- [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)

4
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -29,9 +29,9 @@ sections:
- name: Ignored
questions:
- question: What is Windows Hello for Business cloud trust?
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust).
Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
- question: What about virtual smart cards?

4
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -96,8 +96,8 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
|--- |--- |--- |
|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust|
|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.|
|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|

10
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -21,10 +21,10 @@ Windows Hello for Business authentication is passwordless, two-factor authentica
Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
- [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview)
- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust)
- [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key)
- [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview)
- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust)
- [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key)
- [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
@ -43,7 +43,7 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)
## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)
![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
@ -78,13 +78,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
> [!NOTE]
> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)
## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)
![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud trust is enabled. If cloud trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.

8
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -26,7 +26,7 @@ List of provisioning flows:
- [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
- [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
- [Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-trust-preview-deployment-in-a-managed-environment)
- [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
- [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
- [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
- [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
@ -62,9 +62,9 @@ List of provisioning flows:
[Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment
## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment
![Hybrid Azure AD joined provisioning in a cloud trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
![Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
[Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
| Phase | Description |
@ -74,7 +74,7 @@ List of provisioning flows:
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. |
> [!NOTE]
> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
[Return to top](#windows-hello-for-business-provisioning)

207
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md → windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -1,6 +1,6 @@
---
title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
title: Hybrid cloud Kerberos trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
@ -11,66 +11,68 @@ ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
appliesto:
- ✅ <b>Windows 10 21H2 and later</b>
- ✅ <b>Windows 10, version 21H2 and later</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Hybrid deployment</b>
- ✅ <b>Cloud Kerberos trust</b>
---
# Hybrid Cloud Trust Deployment (Preview)
# Hybrid Cloud Kerberos Trust Deployment (Preview)
Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
## Introduction to Cloud Trust
## Introduction to Cloud Kerberos Trust
The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
The goal of the Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
- Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI.
- Cloud trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate.
- Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup.
- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI
- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate
- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup
> [!NOTE]
> Windows Hello for Business cloud trust is recommended instead of key trust if you meet the prerequisites to deploy cloud trust. Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
## Azure Active Directory Kerberos and Cloud Trust Authentication
## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication
Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. cloud Kerberos trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs.
When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object.
More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview).
More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
## Prerequisites
| Requirement | Notes |
| --- | --- |
| Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
| Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. |
| Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
| Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
### Unsupported Scenarios
The following scenarios aren't supported using Windows Hello for Business cloud trust:
The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:
- On-premises only deployments
- RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
- Scenarios that require a certificate for authentication
- Using cloud trust for "Run as"
- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
- Using cloud Kerberos trust for "Run as"
- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
> [!NOTE]
> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys.
> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
>
> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\<domain-DN\>).
## Deployment Instructions
Deploying Windows Hello for Business cloud trust consists of two steps:
Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
1. Set up Azure AD Kerberos in your hybrid environment.
1. Configure Windows Hello for Business policy and deploy it to devices.
@ -79,74 +81,35 @@ Deploying Windows Hello for Business cloud trust consists of two steps:
If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud trust.
If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
### Configure Windows Hello for Business Policy
After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices.
After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
#### Configure Using Group Policy
Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
Cloud trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
##### Update Group Policy Objects
You may need to update your Group Policy definitions to be able to configure the cloud trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
##### Create the Windows Hello for Business Group Policy object
Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc).
1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
1. Right-click **Group Policy object** and select **New**.
1. Type *Enable Windows Hello for Business* in the name box and click **OK**.
1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
1. In the navigation pane, expand **Policies** under **Device Configuration**.
1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
1. In the content pane, double-click **Use cloud trust for on-premises authentication**. Click **Enable** and click **OK**.
1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
> [!Important]
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled.
#### Configure Using Intune
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
The cloud trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
##### Create a user Group that will be targeted for Windows Hello for Business
### Create a user Group that will be targeted for Windows Hello for Business
If you have an existing group you want to target with Windows Hello for Business cloud trust policy, you can skip this step.
If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to **Groups** and select **New group**.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/)
1. Browse to **Groups** and select **New group**
1. Configure the following group settings:
1. Group type: "Security"
1. Group name: "WHFBCloudTrustUsers" or a group name of your choosing
1. Membership type: Assigned
1. Select **Members** and add users that you want to target with Windows Hello for Business cloud trust.
1. Group type: **Security**
1. Group name: *WHFB cloud Kerberos trust users* or a group name of your choosing
1. Membership type: **Assigned**
1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust
You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center.
You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center
##### Enable Windows Hello for Business
### Enable Windows Hello for Business
If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud Kerberos trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
You can also follow these steps to create a device configuration policy instead of a device enrollment policy:
@ -162,53 +125,91 @@ You can also follow these steps to create a device configuration policy instead
1. Select Next to move to **Assignments**.
1. Under Included groups, select **Add groups**.
1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
##### Configure Cloud Trust policy
### Configure Cloud Kerberos Trust policy
To configure the cloud trust policy, follow the steps below:
To configure the cloud Kerberos trust policy, follow the steps below:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to Devices > Windows > Configuration Profiles > Create profile.
1. For Platform, select Windows 10 and later.
1. For Profile Type, select **Templates** and select the **Custom** Template.
1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud trust".
1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
1. In Configuration Settings, add a new configuration with the following settings:
- Name: "Windows Hello for Business cloud trust" or another familiar name
- Description: Enable Windows Hello for Business cloud trust for sign-in and on-premises SSO.
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/UseCloudTrustForOnPremAuth
| Setting |
|--------|
| <ul><li>Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name</li><li>Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*</li><li>OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\<tenant ID>*`/Policies/UseCloudTrustForOnPremAuth`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li></ul>|
>[!IMPORTANT]
>*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
- Data type: Boolean
- Value: True
[![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox)
1. Select Next to navigate to **Assignments**.
1. Under Included groups, select **Add groups**.
1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
> [!Important]
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled.
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
#### Update Group Policy Objects
You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
#### Create the Windows Hello for Business Group Policy object
Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc).
1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
1. Right-click **Group Policy object** and select **New**.
1. Type *Enable Windows Hello for Business* in the name box and click **OK**.
1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
1. In the navigation pane, expand **Policies** under **Device Configuration**.
1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
1. In the content pane, double-click **Use cloud Kerberos trust for on-premises authentication**. Click **Enable** and click **OK**.
1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
> [!Important]
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
---
## Provisioning
The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud trust is enabled by policy.
The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud Kerberos trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console.
![Cloud trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png)
![cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png)
The cloud trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud trust is not being enforced by policy or if the device is Azure AD joined.
The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust is not being enforced by policy or if the device is Azure AD joined.
This prerequisite check isn't done for provisioning on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in.
@ -228,11 +229,11 @@ After a successful MFA, the provisioning flow asks the user to create and valida
### Sign-in
Once a user has set up a PIN with cloud trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
## Troubleshooting
If you encounter issues or want to share feedback about Windows Hello for Business cloud trust, share via the Windows Feedback Hub app by following these steps:
If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps:
1. Open **Feedback Hub**, and make sure that you're signed in.
1. Submit feedback by selecting the following categories:
@ -241,24 +242,24 @@ If you encounter issues or want to share feedback about Windows Hello for Busine
## Frequently Asked Questions
### Does Windows Hello for Business cloud trust work in my on-premises environment?
### Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
This feature doesn't work in a pure on-premises AD domain services environment.
### Does Windows Hello for Business cloud trust work in a Windows login with RODC present in the hybrid environment?
### Does Windows Hello for Business cloud Kerberos trust work in a Windows login with RODC present in the hybrid environment?
Windows Hello for Business cloud trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud trust will work.
Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
### Do I need line of sight to a domain controller to use Windows Hello for Business cloud trust?
### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
Windows Hello for Business cloud trust requires line of sight to a domain controller for some scenarios:
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller for some scenarios:
- The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device
- When attempting to access an on-premises resource from an Azure AD joined device
### Can I use RDP/VDI with Windows Hello for Business cloud trust?
### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
Windows Hello for Business cloud trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
Windows Hello for Business cloud Kerberos trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust?
### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
No, only the number necessary to handle the load from all cloud trust devices.
No, only the number necessary to handle the load from all cloud Kerberos trust devices.

4
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -31,7 +31,7 @@ This article lists the infrastructure requirements for the different deployment
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Requirement | Cloud trust (Preview)<br/>Group Policy or Modern managed | Key trust<br/>Group Policy or Modern managed | Certificate trust<br/>Mixed managed | Certificate trust<br/>Modern managed |
| Requirement | cloud Kerberos trust<br/>Group Policy or Modern managed | Key trust<br/>Group Policy or Modern managed | Certificate Trust<br/>Mixed managed | Certificate Trust<br/>Modern managed |
| --- | --- | --- | --- | --- |
| **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br> *Minimum:* Windows 10, version 1703<br> *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).<br/>**Azure AD Joined:**<br> Windows 10, version 1511 or later| Windows 10, version 1511 or later |
| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
@ -44,7 +44,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
> [!Important]
> - Hybrid deployments support non-destructive PIN reset that works with certificate trust, key trust and cloud trust models.
> - Hybrid deployments support non-destructive PIN reset that works with Certificate Trust, Key Trust and cloud Kerberos trust models.
>
> **Requirements:**
> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903

4
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -94,9 +94,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
## Comparing key-based and certificate-based authentication
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
## Learn more

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
> [!NOTE]
> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md.
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.

4
windows/security/identity-protection/hello-for-business/index.yml
View File

@ -65,8 +65,8 @@ landingContent:
url: hello-identity-verification.md
- linkListType: how-to-guide
links:
- text: Hybrid Cloud Trust Deployment
url: hello-hybrid-cloud-trust.md
- text: Hybrid Cloud Kerberos Trust Deployment
url: hello-hybrid-cloud-kerberos-trust.md
- text: Hybrid Azure AD Joined Key Trust Deployment
url: hello-hybrid-key-trust.md
- text: Hybrid Azure AD Joined Certificate Trust Deployment

4
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -35,8 +35,8 @@
href: hello-prepare-people-to-use.md
- name: Deployment Guides
items:
- name: Hybrid Cloud Trust Deployment
href: hello-hybrid-cloud-trust.md
- name: Hybrid Cloud Kerberos Trust Deployment
href: hello-hybrid-cloud-kerberos-trust.md
- name: Hybrid Azure AD Joined Key Trust
items:
- name: Hybrid Azure AD Joined Key Trust Deployment

Some files were not shown because too many files have changed in this diff Show More