deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into diagnostic-data-1803

Browse Source
This commit is contained in:
Brian Lich 2018-04-09 13:39:12 -07:00
commit 921726a63f
14 changed files with 709 additions and 731 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

731
browsers/edge/available-policies.md
View File

@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: high
ms.date: 09/13/2017 #Previsou release date
ms.date: 4/5/2018 #Previsou release date 09/13/2017
---
# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
@ -27,15 +27,12 @@ Microsoft Edge works with the following Group Policy settings to help you manage
Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\
<!-- original text
Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations:
-->
## Allow Address bar drop-down list suggestions
>*Supporteded versions: Windows 10, version 1703 or later*
The Address bar drop-down list, when enabled, allows the Address bar drop-down functionality in Microsoft Edge. By default, this policy is enabled. If disabled, you do not see the address bar drop-down functionality and disables the user-defined policy "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this policy takes precedence over the [Configure search suggestions in Address bar](https://review.docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies?branch=pashort_edge-backlog_vsts15846461#configure-search-suggestions-in-address-bar) or [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) policy.
This policy settings specifies whether to allow the address bar drop-down functionality in Microsoft Edge. By default, this setting is enabled. We recommend that you disable this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. If disabled, you do not see the address bar drop-down functionality and also disables the user-defined settting "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the [Configure search suggestions in Address bar](https://review.docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies?branch=pashort_edge-backlog_vsts15846461#configure-search-suggestions-in-address-bar) or [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) setting.
If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend that you disable this policy.
**Microsoft Intune to manage your MDM settings**
| | |
@ -44,31 +41,30 @@ This policy settings specifies whether to allow the address bar drop-down functi
|Supported devices |Desktop |
|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Not Allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."</li><li>**1 (default)** - Allowed. Address bar drop-down is enabled.</li></ul> |
|Allowed values |<ul><li>**0** - Not Allowed. Address bar drop-down is disabled, which also disables the user-defined policy, "Show search and site suggestions as I type."</li><li>**1 (default)** - Allowed. Address bar drop-down is enabled.</li></ul> |
## Allow Adobe Flash
>*Supporteded version: Windows 10*
This policy setting specifies whether Adobe Flash can run in Microsoft Edge. By default, this setting is enabled or not configured, which allows you to use Adobe Flash.
Adobe Flash is integrated with Microsoft Edge and is updated via Windows Update. By default, this policy is enabled or not configured allowing you to use Adobe Flash Player in Microsoft Edge.
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) |
|Supported devices |Desktop |
|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill |
|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Adobe Flash cannot be used Microsoft Edge.</li><li>**1 (default)** - Adobe Flash can be used Microsoft Edge. </li></ul> |
|Allowed values |<ul><li>**0** - Adobe Flash cannot be used Microsoft Edge.</li><li>**1 (default)** - Adobe Flash can be used in Microsoft Edge. </li></ul> |
## Allow clearing browsing data on exit
>*Supporteded versions: Windows 10, version 1703*
Your browsing data is the information that Microsoft Edge remembers and stores as you browse websites. Browsing data includes information you entered into forms, passwords, and the websites you visited. By default, this policy is disabled or not configured, the browsing data is not cleared when exiting. When this policy is disabled or not configured, you can turn on and configure the Clear browsing data option under Settings.
This policy setting specifies whether to clear browsing data on exiting Microsoft Edge. By default, this setting is disabled or not configured, which means you can turn on and configure Clear browsing data option under Settings. If enabled, browsing history on exit is turned on.
**Microsoft Intune to manage your MDM settings**
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) |
@ -80,7 +76,7 @@ This policy setting specifies whether to clear browsing data on exiting Microsof
## Allow configuration updates for the Books Library
>*Supporteded versions: Windows 10*
This policy setting specifies whether Microsoft Edge can automatically update the configuration data for the Books Library. By default, this setting is enabled, which means Microsoft Edge retrieves configuration data for the Books Library. If disabled, Microsoft Edge does not retrieve configuration data.
Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data.
**Microsoft Intune to manage your MDM settings**
| | |
@ -95,7 +91,7 @@ This policy setting specifies whether Microsoft Edge can automatically update th
## Allow Cortana
>*Supported versions: Windows 10, version 1607 or later*
This policy setting specifies whether Cortana is allowed on the device. By default, this setting is enabled (allowed), which allows you to use Cortana on your devices. If disabled (not allowed), Cortana is not available for use, but you can use search to find items on your device.
Cortana is integrated with Microsoft Edge, and when enabled, Cortana allows you use the voice assistant on your device. If disabled, Cortana is not available for use, but you can search to find items on your device.
**Microsoft Intune to manage your MDM settings**
| | |
@ -103,14 +99,14 @@ This policy setting specifies whether Cortana is allowed on the device. By defau
|MDM name |[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) |
|Supported devices |Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCortana |
|Location |Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |
|Location |Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortana |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Not allowed.</li><li>**1 (default)** - Allowed.</li></ul> |
## Allow Developer Tools
>*Supporteded versions: Windows 10, version 1511 or later*
This policy setting specifies whether you can use the F12 Developer Tools on Microsoft Edge. By default, this setting is enabled making the F12 Developer Tools availabe to use. If disabled, the F12 Developer Tools are not available.
F12 developer tools is a suite of tools to help you build and debug your webpage. By default, this policy is enabled making the F12 Developer Tools availabe to use.
**Microsoft Intune to manage your MDM settings**
| | |
@ -119,12 +115,12 @@ This policy setting specifies whether you can use the F12 Developer Tools on Mic
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Employees cannot use the F12 Developer Tools./li><li>**1 (default)** - Employees can use the F12 Developer Tools.</li></ul> |
|Allowed values |<ul><li>**0** - The F12 Developer Tools are disabled.</li><li>**1 (default)** - The F12 Developer Tools are enabled.</li></ul> |
## Allow extended telemetry for the Books tab
>*Supporteded versions: Windows 10*
This policy setting allows you to specify how much data to send to Microsoft about the books you are reading from the Books tab in Microsoft Edge. By default, this setting is disabled or not configured, which means Microsoft Edge only sends basic diagnostic data, depending on your device configuration. If enabled, Microsoft Edge sends additional diagnostic data in addition to the basic diagnostic data, from the Books tab.
If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft.
**Microsoft Intune to manage your MDM settings**
| | |
@ -133,12 +129,12 @@ This policy setting allows you to specify how much data to send to Microsoft abo
|Supported devices |Desktop<br>Mobile |
|URI full path | ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry |
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Disable. No additional diagnostic data.</li><li>**1** - Enable. Additional diagnostic data for schools.</li></ul> |
|Allowed values |<ul><li>**0 (default)** - Disable. Only basic diagnostic data is sent.</li><li>**1** - Enable. Both Basic and additional diagnostic data is sent.</li></ul> |
## Allow Extensions
>*Supporteded versions: Windows 10, version 1607 or later*
This policy setting specifies whether you can use Edge Extensions. By default, this setting is enabled allowing you to use extensions. If disabled, you cannot use extensions.
If you enable this policy, you can personalize and add new features to Microsoft Edge with extensions. By default, this policy is enabled. If you want to prevent others from installing unwanted extensions, disable this policy.
**Microsoft Intune to manage your MDM settings**
| | |
@ -147,12 +143,12 @@ This policy setting specifies whether you can use Edge Extensions. By default,
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowExtensions |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Employees cannot use Edge Extensions.</li><li>**1 (default)** - Employees can use Edge Extensions. </li></ul> |
|Allowed values |<ul><li>**0** - Microsoft Edge extensions are disabled.</li><li>**1 (default)** - Microsoft Edge Extensions are enabled. </li></ul> |
## Allow InPrivate browsing
>*Supporteded versions: Windows 10, version 1511 or later*
This policy setting specifies whether InPrivate browsing is allowed on corporate networks. By default, this setting is enabled allowing you to use InPrivate website browsing. If disabled, you cannot use InPrivate website browsing.
InPrivate browsing, when enabled, prevents your browsing data is not saved on your device. Microsoft Edge deletes temporary data from your device after all your InPrivate tabs are closed.
**Microsoft Intune to manage your MDM settings**
| | |
@ -161,12 +157,13 @@ This policy setting specifies whether InPrivate browsing is allowed on corporate
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Employees cannot use InPrivate browsing.</li><li>**1 (default)** - Employees can use InPrivate browsing.</li></ul> |
|Allowed values |<ul><li>**0** - InPrivate browsing is disabled.</li><li>**1 (default)** - InPrivate browsing is enabled.</li></ul> |
## Allow Microsoft Compatibility List
>*Supporteded versions: Windows 10, version 1703 or later*
This policy setting specifies whether to use the Microsoft compatibility list in Microsoft Edge. The list helps websites with known compatibility issues to display properly. By default, the Microsoft compatibility list is enabled and used during browser navigation. The list can be viewed by visiting "about:compat". By default, this setting is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used.
Microsoft Edge uses the compatibility list that helps websites with known compatibility issues display properly. When enabled, Microsoft Edge checks the list to determine if the website has compatibility issues during browser navigation. By default, this policy is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft compatibility list prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used.
**Microsoft Intune to manage your MDM settings**
| | |
@ -175,7 +172,7 @@ This policy setting specifies whether to use the Microsoft compatibility list in
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Additional search engines are not allowed and the default cannot be changed in the Address bar.</li><li>**1 (default)** - Additional search engines are allowed and the default can be changed in the Address bar.</li></ul> |
|Allowed values |<ul><li>**0** - Disabled. The Microsoft compatibility list is ignored.</li><li>**1 (default)** - Enabled. The Microsoft compatibility list is periodically update and used during browser navigation.</li></ul> |
## Allow search engine customization
>*Supported versions: Windows 10, version 1703 or later*
@ -273,6 +270,7 @@ This policy setting specifies whether Do Not Track requests to websites is allow
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Stops you from sending Do Not Track headers to websites requesting tracking info.</li><li>**1** - Employees can send Do Not Track headers to websites requesting tracking info. </li></ul> |
## Configure Favorites
>*Supported versions: Windows 10, version 1709*
@ -298,6 +296,7 @@ You can export a set of favorites from Edge and use that html file for provision
|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites |
|Data type | String |
## Configure Password Manager
>*Supported versions: Windows 10*
@ -498,9 +497,15 @@ This policy setting specifies whether you can add, import, sort, or edit the Fav
>[!Important]
>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge.
<!--
**MDM name:**
-->
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) |
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites |
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Disabled. Do not lockdown Favorites.</li><li>**1** - Enabled. Lockdown Favorites.</li></ul> |
## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
>*Supported versions: Windows 10, version 1703 or later*
@ -607,674 +612,6 @@ This policy setting specifies whether organizations should use a folder shared a
|Data type | Integer |
|Allowed values |<ul><li>**0** - No shared folder.</li><li>**1** - Use as shared folder.</li></ul> |
<!--
## Using Microsoft Intune to manage your Mobile Device Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
> [!NOTE]
> **Supported Devices** uses these options:
> - **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
> - **Mobile.** Supports Windows 10 Mobile devices only.
> - **Both.** Supports both desktop and mobile devices.
All devices must be enrolled with Intune if you want to use the Windows Custom URI Policy.
## AllowAddressBarDropdown
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown
- **Data type:** Integer
- **Allowed values:**
- **0.** Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."
- **1 (default).** Allowed. Address bar drop-down is enabled.
## AllowAutofill
- **Supported versions:** Windows 10
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees cannot use Autofill to complete form fields.
- **1 (default).** Employees can use Autofill to complete form fields.
## AllowBrowser
- **Supported versions:** Windows 10
- **Supported devices:** Mobile
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowBrowser
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees cannot use Microsoft Edge.
- **1 (default).** Employees can use Microsoft Edge.
## AllowCookies
- **Supported versions:** Windows 10
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Allows all cookies from all sites.
- **1.** Blocks only cookies from 3rd party websites.
- **2.** Blocks all cookies from all sites.
## AllowDeveloperTools
- **Supported versions:** Windows 10, version 1511 or later
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees cannot use the F12 Developer Tools.
- **1 (default).** Employees can use the F12 Developer Tools.
## AllowDoNotTrack
- **Supported versions:** Windows 10
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Stops you from sending Do Not Track headers to websites requesting tracking info.
- **1.** Employees can send Do Not Track headers to websites requesting tracking info.
## AllowExtensions
- **Supported versions:** Windows 10, version 1607 and later
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees cannot use Edge Extensions.
- **1 (default).** Employees can use Edge Extensions.
## AllowFlash
- **Supported versions:** Windows 10
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash
- **Data type:** Integer
- **Allowed values:**
- **0.** Not allowed. Employees cannot use Adobe Flash.
- **1 (default).** Allowed. Employees can use Adobe Flash.
## AllowFlashClickToRun
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Desktop|
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun
- **Data type:** Integer
- **Allowed values:**
- **0.** Adobe Flash content is automatically loaded and run by Microsoft Edge
- **1 (default).** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
## AllowInPrivate
- **Supported versions:** Windows 10, version 1511 or later
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees cannot use InPrivate browsing.
- **1 (default).** Employees can use InPrivate browsing.
## AllowMicrosoftCompatibilityList
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList
- **Data type:** Integer
- **Allowed values:**
- **0.** Additional search engines are not allowed and the default cannot be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
## AllowPasswordManager
- **Supported versions:** Windows 10
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Employees cannot use Password Manager to save passwords locally.
- **1.** Employees can use Password Manager to save passwords locally.
## AllowPopups
- **Supported versions:** Windows 10
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Turns off Pop-up Blocker, allowing pop-up windows.
- **1.** Turns on Pop-up Blocker, stopping pop-up windows.
## AllowSearchEngineCustomization
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization
- **Data type:** Integer
- **Allowed values:**
- **0.** Additional search engines are not allowed and the default cannot be changed in the Address bar.
- **1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.
## AllowSearchSuggestionsinAddressBar
- **Supported versions:** Windows 10
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Employees cannot see search suggestions in the Address bar of Microsoft Edge.
- **1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
## AllowSmartScreen
- **Supported versions:** Windows 10
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Turns off Windows Defender SmartScreen.
- **1.** Turns on Windows Defender SmartScreen, providing warning messages to your you about potential phishing scams and malicious software.
## ClearBrowsingDataOnExit
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
- **1.** Browsing data is cleared on exit.
## ConfigureAdditionalSearchEngines
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Additional search engines are not allowed.
- **1.** Additional search engines are allowed.
## DisableLockdownOfStartPages
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
- **1.** Disable lockdown of the Start pages and allow users to modify them.
## EnterpriseModeSiteList
- **Supported versions:** Windows 10
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList
- **Data type:** String
- **Allowed values:**
- Not configured.
- **1 (default).** Use the Enterprise Mode Site List, if configured.
- **2.** Specify the location to the site list.
>[!NOTE]
>If theres an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If youre already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
## Favorites
- **Supported versions:** Windows 10, version 1511 or later
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/Favorites
- **Data type:** String
- **Allowed values:**
- Configure the **Favorite** URLs for your you.
**Example:**
<contoso.com>
<fabrikam.com>
URLs must be on separate lines and are not shared between Microsoft Edge and Internet Explorer 11.
## FirstRunURL
- **Supported versions:** Windows 10, version 1511 or later
- **Supported devices:** Mobile
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL
- **Data type:** String
- **Allowed values:**
- Configure the first run URL for your you.
**Example:**
<contoso.one>
## HomePages
- **Supported versions:** Windows 10, version 1511 or later
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
- **Data type:** String
- **Allowed values:**
- Configure the Start page (previously known as Home page) URLs for your you.
**Example:**
<contoso.com/support><fabrikam.com/support>
## PreventAccessToAboutFlagsInMicrosoftEdge
- **Supported versions:** Windows 10, version 1607 and later
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Employees can access the about:flags page in Microsoft Edge.
- **1.** Employees cannot access the about:flags page in Microsoft Edge.
## PreventFirstRunPage
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Employees see the First Run webpage.
- **1.** Employees do not see the First Run webpage.
## PreventLiveTileDataCollection
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
- **1.** Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
## PreventSmartScreenPromptOverride
- **Supported versions:** Windows 10, version 1511 or later
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Turns off Windows Defender SmartScreen.
- **1.** Turns on Windows Defender SmartScreen.
## PreventSmartScreenPromptOverrideForFiles
- **Supported versions:** Windows 10, version 1511 or later
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Lets you ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.
- **1.** Stops you from ignoring the Windows Defender SmartScreen warnings about unverified files.
## PreventUsingLocalHostIPAddressForWebRTC
- **Supported versions:** Windows 10, version 1511 or later
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.
- **1.** Does not show an employee's LocalHost IP address while using the WebRTC protocol.
## SendIntranetTraffictoInternetExplorer
- **Supported versions:** Windows 10
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.
- **1.** Automatically opens all intranet sites using Internet Explorer 11.
## SetDefaultSearchEngine
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** The default search engine is set to the one specified in App settings.
- **1.** Allows you to configure the default search engine for your you.
## ShowMessageWhenOpeningInteretExplorerSites
- **Supported versions:** Windows 10, version 1607 and later
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Doesnt show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
## SyncFavoritesBetweenIEAndMicrosoftEdge
- **Supported versions:** Windows 10, version 1703
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
- **Data type:** Integer
- **Allowed values:**
- **0 (default).** Synchronization is turned off.
- **1.** Synchronization is turned on.
>[!Note]
>Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices.
## Microsoft Edge and Windows 10-specific Group Policy settings
These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
## Allow Cortana
- **Location:** Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana
- **Description:** This policy setting specifies whether Cortana is allowed on the device. By default, this setting is enabled (allowed), which allows you to use Cortana on their devices. If disabled (not allowed), you cannot use Cortana, but can use search to find items on the device.
-
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) |
|Supported devices |Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCortana |
|Location |Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Not allowed.</li><li>**1 (default)** - Allowed.</li></ul> |
## Do not sync
- **Location:** Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync
- **Description:** This policy setting specifies whether you can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting you pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
-
-
## Do not sync browser settings
- **Location:**
- **Description:** This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting.
- **Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) |
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings |
|Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Employees cannot sync settings between PCs.</li><li>**1 (default)** - Employees can sync between PCs.</li></ul> |
## Microsoft Edge and Windows 10-specific MDM policy settings
These are additional Windows 10-specific MDM policy settings that work with Microsoft Edge.
## AllowCortana
- **Supported devices:** Both
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees cannot use Cortana on their devices.
- **1 (default).** Employees can use Cortana on their devices.
## AllowSyncMySettings
- **Supported devices:** Desktop
- **Details:**
- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees cannot sync settings between PCs.
- **1 (default).** Employees can sync between PCs.
-->
## Related topics
* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)

26
devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
View File

@ -25,17 +25,7 @@ Surface Hub has been validated with Microsofts first-party MDM providers:
You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
## <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
You can enroll your Surface Hubs using bulk or manual enrollment.
> [!NOTE]
> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD-joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
>
> **To enable automatic enrollment for Microsoft Intune**
> 1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory.
> 2. Click the **Applications** tab, then click **Microsoft Intune**.
> 3. Under **Manage devices for these users**, click **Groups**.
> 4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. **Do not include accounts that are used to enroll Surface Hubs into Intune.**
> 5. Click the checkmark button, then click **Save**.
You can enroll your Surface Hubs using bulk, manual, or automatic enrollment.
### Bulk enrollment
**To configure bulk enrollment**
@ -51,6 +41,20 @@ You can enroll your Surface Hubs using bulk or manual enrollment.
4. Under **Device management**, select **+ Device management**.
5. Follow the instructions in the dialog to connect to your MDM provider.
### Automatic enrollment via Azure Active Directory join
Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory.
**To enable automatic enrollment for Microsoft Intune**
1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory.
2. Click the **Applications** tab, then click **Microsoft Intune**.
3. Under **Manage devices for these users**, click **Groups**.
4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune.
5. Click the checkmark button, then click **Save**.
For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment).
## Manage Surface Hub settings with MDM
You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.

5
education/windows/set-up-school-pcs-technical.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 03/12/2018
ms.date: 04/04/2018
---
# Technical reference for the Set up School PCs app
@ -290,7 +290,8 @@ The Set up School PCs app produces a specialized provisioning package that makes
<tr><td><p>Accounts: Block Microsoft accounts</p><p>**Note** Microsoft accounts can still be used in apps.</p></td><td><p>Enabled</p></td></tr>
<tr> <td> <p> Interactive logon: Do not display last user name </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p> Disabled</p> </td>
<tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr> <td> <p> User Account Control: Behavior of the elevation prompt for standard users </p> </td> <td> <p> Auto deny</p> </td>
</tr>
</tbody>

28
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/23/2018
ms.date: 04/06/2018
---
# What's new in MDM enrollment and management
@ -1149,6 +1149,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>ApplicationDefaults/EnableAppUriHandlers</li>
<li>ApplicationManagement/MSIAllowUserControlOverInstall</li>
<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</li>
<li>Bluetooth/AllowPromptedProximalConnections</li>
<li>Browser/AllowConfigurationUpdateForBooksLibrary</li>
<li>Browser/AlwaysEnableBooksLibrary</li>
<li>Browser/EnableExtendedBooksTelemetry</li>
@ -1176,7 +1177,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
@ -1190,7 +1194,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
@ -1630,6 +1638,20 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Settings/SaveFilesToHost</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
<ul>
<li>Bluetooth/AllowPromptedProximalConnections</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</li>
</ul>
</td></tr>
</tbody>
</table>

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -399,6 +399,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-bluetooth.md#bluetooth-allowprepairing" id="bluetooth-allowprepairing">Bluetooth/AllowPrepairing</a>
</dd>
<dd>
<a href="./policy-csp-bluetooth.md#bluetooth-allowpromptedproximalconnections" id="bluetooth-allowpromptedproximalconnections">Bluetooth/AllowPromptedProximalConnections</a>
</dd>
<dd>
<a href="./policy-csp-bluetooth.md#bluetooth-localdevicename" id="bluetooth-localdevicename">Bluetooth/LocalDeviceName</a>
</dd>

63
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/12/2018
ms.date: 04/06/2018
---
# Policy CSP - Bluetooth
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -28,6 +30,9 @@ ms.date: 03/12/2018
<dd>
<a href="#bluetooth-allowprepairing">Bluetooth/AllowPrepairing</a>
</dd>
<dd>
<a href="#bluetooth-allowpromptedproximalconnections">Bluetooth/AllowPromptedProximalConnections</a>
</dd>
<dd>
<a href="#bluetooth-localdevicename">Bluetooth/LocalDeviceName</a>
</dd>
@ -197,6 +202,62 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="bluetooth-allowpromptedproximalconnections"></a>**Bluetooth/AllowPromptedProximalConnections**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Quick Pair and other proximity based scenarios.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disallow. Block users on these managed devices from using Quick Pair and other proximity based scenarios
- 1 - Allow. Allow users on these managed devices to use Quick Pair and other proximity based scenarios
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="bluetooth-localdevicename"></a>**Bluetooth/LocalDeviceName**

17
windows/client-management/mdm/policy-csp-kioskbrowser.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 04/03/2018
ms.date: 04/06/2018
---
# Policy CSP - KioskBrowser
@ -14,7 +14,8 @@ ms.date: 04/03/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
These policies only apply to kiosk browser.
These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end users browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/en-us/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).
<hr/>
@ -85,7 +86,7 @@ These policies only apply to kiosk browser.
Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
> [!Note]
> This policy only applies to kiosk browser.
> This policy only applies to the Kiosk Browser app in Microsoft Store.
<!--/Description-->
<!--/Policy-->
@ -132,7 +133,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
> [!Note]
> This policy only applies to kiosk browser.
> This policy only applies to the Kiosk Browser app in Microsoft Store.
<!--/Description-->
<!--/Policy-->
@ -179,7 +180,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
> [!Note]
> This policy only applies to kiosk browser.
> This policy only applies to the Kiosk Browser app in Microsoft Store.
<!--/Description-->
<!--/Policy-->
@ -226,7 +227,7 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
> [!Note]
> This policy only applies to kiosk browser.
> This policy only applies to the Kiosk Browser app in Microsoft Store.
<!--/Description-->
<!--/Policy-->
@ -273,7 +274,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
> [!Note]
> This policy only applies to kiosk browser.
> This policy only applies to the Kiosk Browser app in Microsoft Store.
<!--/Description-->
<!--/Policy-->
@ -322,7 +323,7 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
> [!Note]
> This policy only applies to kiosk browser.
> This policy only applies to the Kiosk Browser app in Microsoft Store.
<!--/Description-->
<!--/Policy-->

513
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/16/2018
ms.date: 04/06/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
@ -51,6 +51,15 @@ ms.date: 03/16/2018
<dd>
<a href="#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges">LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
</dd>
@ -117,6 +126,18 @@ ms.date: 03/16/2018
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
</dd>
@ -757,6 +778,220 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Digitally encrypt or sign secure channel data (always)
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Default: Enabled.
Notes:
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Digitally encrypt secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
Default: Enabled.
Important
There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges"></a>**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Disable machine account password changes
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
Default: Disabled.
Notes
This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Disable machine account password changes*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@ -2122,6 +2357,282 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
If you do not configure this policy setting, no exceptions will be applied.
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
This policy setting allows you to audit incoming NTLM traffic.
If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.
If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Restrict NTLM: Audit Incoming NTLM Traffic*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Restrict NTLM: Incoming NTLM traffic
This policy setting allows you to deny or allow incoming NTLM traffic.
If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.
If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.
If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Restrict NTLM: Incoming NTLM traffic*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.
If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**

2
windows/client-management/mdm/policy-csp-search.md
View File

@ -834,7 +834,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. Desktop users should use Search/DoNotUseWebResults.
Specifies what level of safe search (filtering adult content) is required.

2
windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
View File

@ -26,7 +26,7 @@ ms.date: 10/05/2017
|None|System/AllowLocation|Specifies whether to allow app access to the Location service.<p>**In Windows 10, version 1511**<br>Cortana wont work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled).|
|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.<p>Use this setting if you only want to support Azure AD in your organization.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.<p>**In Windows 10 Pro edition**<br>This setting cant be managed.<p>**In Windows 10 Enterprise edition**<br>Cortana won't work if this setting is turned off (disabled).|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|

1
windows/deployment/TOC.md
View File

@ -230,6 +230,7 @@
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Determine the source of Windows updates](update/windows-update-sources.md)
### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)

10
windows/deployment/update/index.md
View File

@ -1,16 +1,16 @@
---
title: Update Windows 10 in the enterprise (Windows 10)
title: Update Windows 10 in enterprise deployments (Windows 10)
description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
author: Jaimeo
ms.localizationpriority: high
ms.author: daniha
ms.date: 11/17/2017
ms.author: jaimeo
ms.date: 04/06/2018
---
# Update Windows 10 in the enterprise
# Update Windows 10 in enterprise deployments
**Applies to**

2
windows/deployment/update/waas-integrate-wufb.md
View File

@ -90,7 +90,7 @@ For Windows 10, version 1607, organizations already managing their systems with
![Example of unknown devices](images/wufb-sccm.png)
For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/en-us/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
## Related topics

37
windows/deployment/update/windows-update-sources.md Normal file
View File

@ -0,0 +1,37 @@
---
title: Determine the source of Windows updates
description: Determine the source that Windows Update service is currently using.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: kaushika-msft
ms.localizationpriority: high
ms.author: jaimeo
ms.date: 04/05/2018
---
# Determine the source of Windows updates
Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: 
1. Start Windows PowerShell as an administrator
2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`.
3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
| Output | Interpretation |
|-----------------------------------------------------|-----------------------------------|
| - Name: **Microsoft Update**<br>-OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.<br>- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)|
|- Name: **DCat Flighting Prod** <br>- OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program.<br>- Indicates that the client will not receive or is not configured to receive these updates. |
| - Name: **Windows Store (DCat Prod)**<br>- OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps.<br>- Indicates that the client will not receive or is not configured to receive these updates.|
|- Name: **Windows Server Update Service**<br>- OffersWindowsUpdates: **True** |- The source is a Windows Server Updates Services server.<br>- The client is configured to receive updates from WSUS.|
|- Name: **Windows Update**<br>- OffersWindowsUpdates: **True** |- The source is Windows Update.<br>- The client is configured to receive updates from Windows Update Online.|
See also:
[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760)
[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)