diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 6ba49fc316..8377f170ae 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -19448,7 +19448,7 @@
{
"source_path": "windows/security/threat-protection/intelligence/supply-chain-malware.md",
"redirect_url": "/microsoft-365/security/intelligence/supply-chain-malware",
- "redirect_document_id": false
+ "redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/intelligence/support-scams.md",
@@ -19496,24 +19496,64 @@
"redirect_document_id": false
},
{
- "source_path": "windows/education/itadmins.yml",
- "redirect_url": "/education/",
- "redirect_document_id": true
+ "source_path": "education/itadmins.yml",
+ "redirect_url": "/education",
+ "redirect_document_id": false
},
{
- "source_path": "windows/education/partners.yml",
- "redirect_url": "/education/",
- "redirect_document_id": true
+ "source_path": "education/partners.yml",
+ "redirect_url": "/education",
+ "redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-compliance-toolkit-10.md",
"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10",
"redirect_document_id": false
},
+ {
+ "source_path": "windows-docs-pr/windows/client-management/mdm/remotering-csp.md",
+ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/remotering-ddf-file.md",
+ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+ "redirect_document_id": false
+ },
{
- "source_path": "windows/education/developers.yml",
- "redirect_url": "/education/",
- "redirect_document_id": true
- }
+ "source_path": "education/developers.yml",
+ "redirect_url": "/education",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/enterpriseappmanagement-csp.md",
+ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/messaging-ddf.md",
+ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/messaging-csp.md",
+ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/policymanager-csp.md",
+ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/mdm/proxy-csp.md",
+ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/client-management/img-boot-sequence.md",
+ "redirect_url": "/windows/client-management/advanced-troubleshooting-boot-problems#boot-sequence",
+ "redirect_document_id": false
+ }
]
-}
\ No newline at end of file
+}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index ef3a69ff52..3bf0503686 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,104 +2,84 @@
Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
This page covers the basic steps for editing our technical documentation.
+For a more up-to-date and complete contribution guide, see the main [Microsoft Docs contributor guide overview](https://docs.microsoft.com/contribute/).
## Sign a CLA
-All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before editing any Microsoft repositories.
-If you've already edited within Microsoft repositories in the past, congratulations!
+All contributors who are ***not*** a Microsoft employee or vendor must [sign a Microsoft Contributor License Agreement (CLA)](https://cla.microsoft.com/) before editing any Microsoft repositories.
+If you've already edited within Microsoft repositories in the past, congratulations!
You've already completed this step.
## Editing topics
We've tried to make editing an existing, public file as simple as possible.
->**Note**
->At this time, only the English (en-us) content is available for editing.
+> **Note**
+> At this time, only the English (en-us) content is available for editing. If you have suggestions for edits to localized content, file feedback on the article.
-**To edit a topic**
+### To edit a topic
-1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**.
+1. Go to the page on [docs.microsoft.com](https://docs.microsoft.com/) that you want to update.
- 
+ > **Note**
+ > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main).
-2. Log into (or sign up for) a GitHub account.
-
- You must have a GitHub account to get to the page that lets you edit a topic.
+1. Then select the **Pencil** icon.
-3. Click the **Pencil** icon (in the red box) to edit the content.
+ 
- 
+ If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [Microsoft Docs Organization on GitHub](https://github.com/MicrosoftDocs).
-4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
-
- - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)
+ > **TIP**
+ > View the page source in your browser, and look for the following metadata: `original_content_git_url`. This path always points to the source markdown file for the article.
-5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
+1. In GitHub, select the **Pencil** icon to edit the article. If the pencil icon is grayed out, you need to either sign in to your GitHub account or create a new account.
- 
+ 
-6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
+1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
- 
+1. Make your suggested change, and then select **Preview changes** to make sure it looks correct.
- The **Comparing changes** screen appears to see what the changes are between your fork and the original content.
+ 
-7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in.
+1. When you're finished editing, scroll to the bottom of the page. In the **Propose changes** area, enter a title and optionally a description for your changes. The title will be the first line of the commit message. Briefly state _what_ you changed. Select **Propose changes** to commit your changes:
+
+ 
+
+1. The **Comparing changes** screen appears to show what the changes are between your fork and the original content. On the **Comparing changes** screen, you'll see if there are any problems with the file you're checking. If there are no problems, you'll see the message **Able to merge**.
- If there are no problems, you’ll see the message, **Able to merge**.
-
-8. Click **Create pull request**.
+ Select **Create pull request**. Next, enter a title and description to give the approver the appropriate context about _why_ you're suggesting this change. Make sure that only your changed files are in this pull request; otherwise, you could overwrite changes from other people.
-9. Enter a title and description to give the approver the appropriate context about what’s in the request.
+1. Select **Create pull request** again to actually submit the pull request.
-10. Scroll to the bottom of the page, making sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people.
+ The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics:
-11. Click **Create pull request** again to actually submit the pull request.
-
- The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places:
-
- - [Windows 10](https://docs.microsoft.com/windows/windows-10)
-
- - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
-
- - [Surface](https://docs.microsoft.com/surface)
-
- - [Surface Hub](https://docs.microsoft.com/surface-hub)
-
- - [HoloLens](https://docs.microsoft.com/hololens)
-
+ - [Windows client documentation for IT Pros](https://docs.microsoft.com/windows/resources/)
- [Microsoft Store](https://docs.microsoft.com/microsoft-store)
-
- [Windows 10 for Education](https://docs.microsoft.com/education/windows)
-
- [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
-
- - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
-
- - [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)
-
+ - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/)
## Making more substantial changes
-To make substantial changes to an existing article, add or change images, or contribute a new article, you will need to create a local clone of the content.
-For info about creating a fork or clone, see the GitHub help topic, [Fork a Repo](https://help.github.com/articles/fork-a-repo/).
+To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content.
+For info about creating a fork or clone, see [Set up a local Git repository](https://docs.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
-Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Then open a pull request back to the master branch of the official repo.
+Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Finally, open a pull request back to the main branch of the official repo.
## Using issues to provide feedback on documentation
If you just want to provide feedback rather than directly modifying actual documentation pages, you can create an issue in the repository.
-At the top of a topic page you'll see an **Issues** tab. Click the tab and then click the **New issue** button.
+At the top of an article, you'll see a feedback icon. Select the icon to go to the **Feedback** section at the bottom of the article. Then select **This page** to file feedback for the current article.
-Be sure to include the topic title and the URL for the page you're submitting the issue for, if that page is different from the page you launched the **New issue** dialog from.
+In the new issue form, enter a brief title. In the body of the form, describe the concern, but don't modify the **Document Details** section. You can use markdown in this form. When you're ready, select **Submit new issue**.
## Resources
-You can use your favorite text editor to edit Markdown. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
-
-You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
-
+- You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
+- You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
+- Microsoft Docs uses several custom Markdown extensions. To learn more, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index 897b27ceed..6290d3a462 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -23,11 +23,11 @@ ms.date: 07/27/2017
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools.
@@ -53,16 +53,13 @@ Besides turning on this feature, you also have the option to provide a URL for E
Your **Value data** location can be any of the following types:
-- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.
**Important**
- The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API.
-- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
-- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data.
+- **URL location**, for example: `https://www.emieposturl.com/api/records` or `https://localhost:13000`. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.
+
+ > [!Important]
+ > The `https://www.emieposturl.com/api/records` example will only work if you've downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) article. If you don't have the sample, you won't have the web API.
+
+- **Local network location**, for example: `https://emieposturl/`. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
+
+- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won't collect any logging data.
For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md).
-
-
-
-
-
-
-
diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml
index 27e231694f..17fad3f1dd 100644
--- a/browsers/internet-explorer/internet-explorer.yml
+++ b/browsers/internet-explorer/internet-explorer.yml
@@ -34,8 +34,6 @@ landingContent:
url: /lifecycle/faq/internet-explorer-microsoft-edge
- linkListType: download
links:
- - text: Download IE11 with Windows 10
- url: https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise
- text: Enterprise Mode Site List Manager (schema, v.2)
url: https://www.microsoft.com/download/details.aspx?id=49974
- text: Cumulative security updates for Internet Explorer 11
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 8100e0959b..73b3828e76 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,6 +2,27 @@
+## Week of May 02, 2022
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 5/3/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
+| 5/3/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
+| 5/3/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
+| 5/3/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
+| 5/3/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
+| 5/3/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 5/3/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
+| 5/3/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
+| 5/3/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
+| 5/3/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
+| 5/3/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
+| 5/3/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
+| 5/3/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
+| 5/3/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
+
+
## Week of April 25, 2022
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index 87443100ce..70532ccda4 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -111,7 +111,7 @@ Back up all your data before installing Windows 10 in S mode. Only personal file
Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
- Local administrator
-- Microsoft Account (MSA) administrator
+- Microsoft account administrator
- Azure Active Directory administrator
> [!WARNING]
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 445f9c1e89..9090762b1e 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -38,37 +38,55 @@ Windows 11 SE is only available preinstalled on devices from OEMs. The OEM insta
Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
-| Application | Supported version | Vendor |
-| --- | --- | --- |
-|Blub Digital Portoflio |0.0.7.0 |bulb|
-|CA Secure Browser |14.0.0 |Cambium Development|
-|Cisco Umbrella |3.0.110.0 |Cisco|
-|Dragon Professional Individual |15.00.100 |Nuance Communications|
-|DRC INSIGHT Online Assessments |12.0.0.0 |DRC|
-|e-Speaking Voice and Speech recognition|4.4.0.8 |e-speaking|
-|Free NaturalReader |16.1.2 |Natural Soft|
-|GoGuardian |1.4.4 |GoGuardian|
-|Google Chrome |97.0.4692.71 |Google|
-|JAWS for Windows |2022.2112.24 |Freedom Scientific|
-|Kite Student Portal |8.0.1|Dynamic Learning Maps|
-|Kortext |2.3.418.0 |Kortext|
-|LanSchool |9.1.0.46 |Stoneware|
-|Lightspeed Smart Agent |1.9.1 |Lightspeed Systems|
-|Mozilla Firefox |96.0.2 |Mozilla|
-|NextUp Talker |1.0.49 |NextUp Technologies|
-|NonVisual Desktop Access |2021.3.1 |NV Access|
-|NWEA Secure Testing Browser |5.4.300.0 |NEWA|
-|Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd.|
-|Safe Exam Broswer |3.3.1 |Safe Exam Broswer|
-|Secure Browser |4.8.3.376 |Questar, Inc|
-|SuperNova Magnifier & Screen Reader | 20.03 |Dolphin Computer Access|
-|SuperNova Magnifier & Speech | 20.03 |Dolphin Computer Access|
-|Respondus Lockdown Browser |2.0.8.03 |Respondus|
-|TestNav |1.10.2.0 |Pearson Education Inc|
-|SecureBrowser |14.0.0 |Cambium Development|
-|Zoom |5.9.1 (2581) |Zoom|
-|ZoomText Fusion |2022.2109.10 |Freedom Scientific|
-|ZoomText Magnifier/Reader |2022.2109.25 |Freedom Scientific|
+| Application | Supported version | App Type | Vendor |
+| --- | --- | --- | --- |
+|AirSecure |8.0.0 |Win32 |AIR|
+|Brave Browser |1.34.80|Win32 |Brave|
+|Bulb Digital Portfolio |0.0.7.0|Store|Bulb|
+|Cisco Umbrella |3.0.110.0 |Win32 |Cisco|
+|CKAuthenticator |3.6 |Win32 |Content Keeper|
+|Class Policy |114.0.0 |Win32 |Class Policy|
+|Classroom.cloud |1.40.0004 |Win32 |NetSupport|
+|CoGat Secure Browser |11.0.0.19 |Win32 |Riverside Insights|
+|Dragon Professional Individual |15.00.100 |Win32 |Nuance Communications|
+|DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation|
+|Duo from Cisco |2.25.0 |Win32 |Cisco|
+|e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking|
+|eTests |4.0.25 |Win32 |CASAS|
+|FortiClient |7.0.1.0083 |Win32 |Fortinet|
+|Free NaturalReader |16.1.2 |Win32 |Natural Soft|
+|GoGuardian |1.4.4 |Win32 |GoGuardian|
+|Google Chrome |100.0.4896.127|Win32 |Google|
+|Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education|
+|Immunet |7.5.0.20795 |Win32 |Immunet|
+|JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific|
+|Kite Student Portal |8.0.1 |Win32 |Dynamic Learning Maps|
+|Kortext |2.3.433.0 |Store |Kortext|
+|Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems|
+|LanSchool |9.1.0.46 |Win32 |Stoneware|
+|Lightspeed Smart Agent |2.6.2 |Win32 |Lightspeed Systems|
+|Microsoft Connect |10.0.22000.1 |Store |Microsoft|
+|Mozilla Firefox |99.0.1 |Win32 |Mozilla|
+|NAPLAN |2.5.0 |Win32 |NAP|
+|NetSupport Manager |12.01.0011 |Win32 |NetSupport|
+|NetSupport Notify |5.10.1.215 |Win32 |NetSupport|
+|NetSupport School |14.00.0011 |Win32 |NetSupport|
+|NextUp Talker |1.0.49 |Win32 |NextUp Technologies|
+|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access|
+|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA|
+|Pearson TestNav |1.10.2.0 |Store |Pearson|
+|Questar Secure Browser |4.8.3.376 |Win32 |Questar|
+|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.|
+|Remote Help |3.8.0.12 |Win32 |Microsoft|
+|Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus|
+|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
+|Secure Browser |14.0.0 |Win32 |Cambium Development|
+|Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
+|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
+|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
+|Zoom |5.9.1 (2581)|Win32 |Zoom|
+|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific|
+|ZoomText Magnifier/Reader |2022.2109.25|Win32 |Freedom Scientific|
### Enabled apps
diff --git a/images/compare-changes.png b/images/compare-changes.png
index 0d86db70f5..183953dc8a 100644
Binary files a/images/compare-changes.png and b/images/compare-changes.png differ
diff --git a/images/contribute-link.png b/images/contribute-link.png
index 4cf685e54e..742a6f53ef 100644
Binary files a/images/contribute-link.png and b/images/contribute-link.png differ
diff --git a/images/pencil-icon.png b/images/pencil-icon.png
index 82fe7852dd..f041c32229 100644
Binary files a/images/pencil-icon.png and b/images/pencil-icon.png differ
diff --git a/images/preview-changes.png b/images/preview-changes.png
index cb4ecab594..54761f44d2 100644
Binary files a/images/preview-changes.png and b/images/preview-changes.png differ
diff --git a/images/propose-changes.png b/images/propose-changes.png
new file mode 100644
index 0000000000..5c16f931fc
Binary files /dev/null and b/images/propose-changes.png differ
diff --git a/images/propose-file-change.png b/images/propose-file-change.png
deleted file mode 100644
index aedbc07b16..0000000000
Binary files a/images/propose-file-change.png and /dev/null differ
diff --git a/smb/breadcrumb/toc.yml b/smb/breadcrumb/toc.yml
index 3fc3bfeaee..317dcb4c3b 100644
--- a/smb/breadcrumb/toc.yml
+++ b/smb/breadcrumb/toc.yml
@@ -1,10 +1,11 @@
+items:
- name: Docs
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows
- topicHref: https://docs.microsoft.com/windows/#pivot=it-pro
+ topicHref: /windows/resources/
items:
- name: SMB
tocHref: /windows/smb
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 7da2e85c29..729c76f598 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -574,7 +574,7 @@ See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- [Set up Office 365 for business](/microsoft-365/admin/setup)
- Common admin tasks in Office 365 including email and OneDrive in [Manage Office 365](/microsoft-365/admin/)
-- More info about managing devices, apps, data, troubleshooting, and more in the [/mem/intune/](/mem/intune/)
+- More info about managing devices, apps, data, troubleshooting, and more in the [Intune documentation](/mem/intune/)
- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
- Info about distributing apps to your employees, managing apps, managing settings, and more in [Microsoft Store for Business](/microsoft-store/)
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index 5ec635a24d..c6c6e4564c 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -50,10 +50,11 @@ You can create collections of apps within your private store. Collections allow
You can add a collection to your private store from the private store, or from the details page for an app.
**From private store**
+
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.
- 
+ 
3. Click **Add a Collection**.
@@ -65,6 +66,7 @@ You can add a collection to your private store from the private store, or from t
> New collections require at least one app, or they will not be created.
**From app details page**
+
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Products & services**.
3. Under **Apps & software**, choose an app you want to include in a new collection.
@@ -84,12 +86,13 @@ If you've already added a Collection to your private store, you can easily add a
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.
- 
+ 
3. Click the ellipses next to the collection name, and click **Edit collection**.
4. Add or remove products from the collection, and then click **Done**.
You can also add an app to a collection from the app details page.
+
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Products & services**.
3. Under **Apps & software**, choose an app you want to include in a new collection.
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 42eda0b990..9478fd004c 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -45,7 +45,7 @@ You'll need to set up:
- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
The process and timing look like this:
-
+
## Add an LOB publisher (Admin)
Admins need to invite developer or ISVs to become an LOB publisher.
diff --git a/template.md b/template.md
new file mode 100644
index 0000000000..84c08cc7de
--- /dev/null
+++ b/template.md
@@ -0,0 +1,292 @@
+---
+title: # ARTICLE TITLE in 55 chars or less, most important for SEO. Best to match H1 and TOC, but doesn't have to.
+description: # A summary of the content. 75-300 characters. Used in site search. Sometimes used on a search engine results page for improved SEO. Always end with period.
+ms.date: mm/dd/yyyy
+ms.prod: windows
+ms.technology: windows #more to come...
+ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
+ms.localizationpriority: medium #high null
+author: # GitHub username (aczechowski)
+ms.author: # MS alias (aaroncz)
+ms.reviewer: # MS alias of feature PM, optional
+manager: # MS alias of manager (dougeby)
+ms.collection: # optional
+- # highpri - high priority, strategic, important, current, etc. articles
+- # openauth - the article is owned by PM or community for open authoring
+---
+
+# Metadata and Markdown Template
+
+_Applies to:_
+
+- Windows 11
+- Windows 10
+
+This docs.ms template contains examples of markdown syntax, and guidance on setting the metadata. It's available in the root directory of the Windows repository (`~\windows-docs-pr\template.md`).
+
+When you create a new markdown file article, **Save as** this template to a new file, fill out the metadata as specified below, set the H1 heading above (`#`) to the title of the article, and delete the template content.
+
+## Metadata
+
+The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
+
+- You _must_ have a space between the colon (`:`) and the value for a metadata element.
+
+- Remove all metadata comments (`#`)
+
+- Colons in a value (like the title) break the metadata parser. In their place, use the HTML encoding `:` (for example, `title: Azure Rights Management: the basics`).
+
+- `title`: This title appears in search engine results and the browser tab.
+ - Don't end with a period.
+ - Use Microsoft style _sentence case_.
+ - The title can match the H1 heading (`#`) and the name in the toc.yml, but doesn't have to.
+ - It should be roughly 55 characters or less for best search engine optimization (SEO).
+
+- `description`: Summarize the content, shows in search engine results. 75-300 characters. Always end with a period.
+
+- `ms.date`: After you Save As this template to the target file, with the Docs Authoring Pack extension installed, right-click anywhere in the .md file to **Update `ms.date` metadata value** and save the file.
+
+- `author`: The author field contains the **Github username** of the author.
+ - This value is used in GitHub notifications, assignments, and other build automation in both the private and public repositories.
+ - It's also used to display the first (left-most) contributor in the published article.
+
+- `ms.author` & `manager`: Microsoft aliases. ms.author and author are typically the same.
+ - `ms.reviewer`: Optionally can specify the name of the PM associated with the article. Just for reference, not currently used by any automation.
+
+- `ms.prod`: Should always be `windows` for Windows content. (Some older articles still use `w10` and `w11`.)
+
+- `ms.technology`: Select one of the options based on the feature area. Currently the only option is `windows`.
+
+- `ms.topic`: Select one of the options based on the content type. This attribute is used in calculating content health (different content types are used differently by customers, so have different metrics).
+
+- `ms.localizationpriority`: **Medium** is the default, which is machine translation. For specific, high-priority content that requires human translation (extra cost), set this value to **high**. For any components that are only `en-us`, set this value to **null** for no localization.
+
+## Basic markdown and GFM
+
+All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
+
+- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
+- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
+- [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
+
+## Headings
+
+Examples of first- and second-level headings are above.
+
+There **must** be only one first-level heading (`#`, also known as H1) in your article, which is displayed as the published title at the top of the page.
+
+Second-level headings (`##`, also known as H2) generate the on-page TOC that appears in the **In this article** section beside or underneath the on-page title.
+
+Limit the length of second-level headings to avoid excessive line wraps.
+
+Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
+
+Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
+
+Configuration Manager content does use custom anchors in some articles. They're almost always prefixed with `bkmk_`, for example, `bkmk_client`. These anchors can help reduce the anchor size, but does require HTML code that may not always be supported by the docs build system. There's other functionality with the Docs Authoring Pack and the build validation that only works with native header anchors. Use custom anchors sparingly, and remove them in older articles when possible. When removing custom anchors, make sure to update all internal links from the old custom anchor to the native header kebab format.
+
+### Third-level heading
+
+Third-level headings (and beyond) can be any length, as they don't appear **In this article**.
+
+#### Fourth-level heading
+
+##### Fifth level heading
+
+## Text styling
+
+_Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps differentiate with the double asterisk (`**`) for bold)
+
+**Bold**
+
+~~Strikethrough~~
+
+## Links
+
+> [!TIP]
+> Use the **Docs Authoring Pack** extension to easily add links!
+>
+> 1. **Alt** + **M** to open the Docs Authoring Pack menu.
+> 1. Select **Link** and then follow the prompts.
+>
+> It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
+
+For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
+
+### Article in the same repo
+
+To link to an article in the same repo, use **file-relative links**. These links have the path to the target as relative to the current file, and always include the `.md` or `.yml` extension. For example, `[Windows client documentation for IT Pros](index.yml)`
+
+#### Link to headings
+
+To link to a heading _in the same markdown file_, add just the anchor as the link. It's either a custom HTML anchor (`#bkmk_client`) or the kebab case of the header. For example: `[Link to an article in the same repo](#article-in-the-same-repo)`. Kebab case is preferred over a custom anchor, as the build validates the link. Make sure headings aren't duplicated in the same article.
+
+To link to a heading _in a markdown file in the same repo_, use relative linking + hashtag linking. For example: `[Windows 11 availability](../whats-new/windows-11-plan.md#windows-11-availability)`
+
+### Another docs.ms article
+
+To link to another docs.ms article not in the same repo, use a **root-relative link**. This style supports the potential future use of the doc content in a separate disconnected environment, like for a high security government customer, which would have a different domain. For example, `[Public contributor guide](/contribute/additional-resources)`.
+
+### External URLs
+
+To link to an external file, use the full URL as the link. For example: `[Github](https://www.github.com)`
+
+- The link should always be **HTTPS**.
+- Remove any local from the URL, unless it doesn't work without it. Most all microsoft.com properties support language neutral URLs.
+
+### Example links
+
+If you need to provide an example of a URL in the article, enclose it in a code block. For example: `https://www.contoso.com`
+This style makes sure the URL is ignored during build validation and the broken links report.
+
+### Tips for links
+
+When your pull request runs, the build system validates all file-relative links and non-custom anchors. It will return a warning if it can't resolve a link.
+
+VSCode supports file-relative links and non-custom anchors, so you can easily navigate between pages, and test that links are valid.
+
+There's a broken link report that runs once a week in the build system, get the report from OPS.
+
+Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
+
+For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
+
+## Lists
+
+### Ordered lists
+
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+
+You can explicitly number each line if needed, but this style lets the build autonumber it. This style is beneficial if you need to add or remove a step.
+
+#### Ordered list with an embedded list
+
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+1. This list is ordered.
+ 1. This list is embedded.
+ 1. This list is embedded.
+1. This list is ordered.
+1. This list is ordered.
+
+### Unordered Lists
+
+- This list is bulleted.
+- This list is bulleted.
+- This list is bulleted.
+- This list is bulleted.
+- This list is bulleted.
+
+#### Unordered list with embedded lists
+
+- This list is bulleted.
+- This list is bulleted.
+- This list is bulleted.
+ - This list is embedded.
+ - This list is embedded.
+- This list is bulleted.
+- This list is bulleted.
+ 1. This list is embedded and ordered.
+ 1. This list is embedded and ordered.
+- This list is bulleted.
+
+## Horizontal rule
+
+---
+
+## Tables
+
+| Tables | Are | Cool |
+| ------------- |:-------------:| -----:|
+| col 3 is | right-aligned | $1600 |
+| col 2 is | centered | $12 |
+| col 1 is default | left-aligned | $1 |
+
+The Docs Authoring Pack has features to manage markdown tables. Select the entire table, then right-click to see the options.
+
+## Code
+
+### Codeblock
+
+```json
+{
+ "aggregator": {
+ "batchSize": 1000,
+ flushTimeout": "00:00:30"
+ }
+}
+```
+
+### In-line code
+
+This sentence includes an example of `in-line code`.
+
+## Blockquote
+
+> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
+
+## Images
+
+Use the Docs Authoring Pack menu to easily insert media.
+
+Always include alt text for accessibility, and always end it with a period.
+
+
+### Static Image
+
+:::image type="content" source="media/deploy1.png" alt-text="A graphic of a laptop as a suitcase.":::
+
+### Image with lightbox
+
+:::image type="content" source="media/deploy2.png" alt-text="A graphic of a computer with external monitor." lightbox="media/W10-WaaS-poster.PNG":::
+
+### Animated gif
+
+:::image type="content" source="media/docs-filter-toc.gif" alt-text="Animated gif of 'filter by title' option in the table of contents.":::
+
+### Linked Image
+
+[](https://azure.microsoft.com)
+
+## Alerts
+
+### Note
+
+> [!NOTE]
+> This is NOTE
+
+### Warning
+
+> [!WARNING]
+> This is WARNING
+
+### Tip
+
+> [!TIP]
+> This is TIP
+
+### Caution
+
+> [!CAUTION]
+> This is CAUTION
+
+### Important
+
+> [!IMPORTANT]
+> This is IMPORTANT
+
+## Videos
+
+### YouTube
+
+> [!VIDEO https://www.youtube.com/embed/rnhnZTrSZzI]
+
+## docs.ms extensions
+
+> [!div class="nextstepaction"]
+> [Next step action](/mem/configmgr)
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index ee87f2e5f5..9ee3c86345 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -2,9 +2,6 @@
title: Add or hide optional apps and features on Windows devices | Microsoft Docs
description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: article
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index 290b271595..ed4e23e340 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -2,9 +2,6 @@
title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10)
description: Information about what's new in App-V for Windows 10, version 1703 and earlier.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -67,7 +64,7 @@ App-V supports System Center 2016 and System Center 2012 R2 Configuration Manage
-## Related topics
+## Related articles
* [Release Notes for App-V for Windows 10, version 1607](../app-v/appv-release-notes-for-appv-for-windows.md)
* [Release Notes for App-V for Windows 10, version 1703](../app-v/appv-release-notes-for-appv-for-windows-1703.md)
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index 4fa5f87a19..d49eb1249f 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11)
description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -33,6 +30,6 @@ Use the following procedures to add or remove an administrator on the Microsoft
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index c4d52d6ce8..e0eb8f53de 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11)
description: Add or upgrade packages on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -43,6 +40,6 @@ You can use the following procedure to add or upgrade a package to the App-V Man
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index 5e78a6e878..03ad7e6238 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -2,9 +2,6 @@
title: Administering App-V by using Windows PowerShell (Windows 10/11)
description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -52,6 +49,6 @@ The following table describes Windows PowerShell error handling for App-V.
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
index 78a01b2df0..bf7e7c0092 100644
--- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
@@ -2,9 +2,6 @@
title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11)
description: Administering App-V Virtual Applications by using the Management Console
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
index 8229ce4e12..64361de362 100644
--- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
+++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
@@ -2,9 +2,6 @@
title: Only Allow Admins to Enable Connection Groups (Windows 10/11)
description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
@@ -32,6 +29,6 @@ Use one of the following methods to allow only administrators to enable or disab
-## Related topics
+## Related articles
- [Managing Connection Groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 6e37203bad..34b447c216 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -2,9 +2,6 @@
title: Application Publishing and Client Interaction (Windows 10/11)
description: Learn technical information about common App-V Client operations and their integration with the local operating system.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/08/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index 961240387c..c8740e0295 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -2,9 +2,6 @@
title: Apply deployment config file via Windows PowerShell (Windows 10/11)
description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.reviewer:
@@ -45,6 +42,6 @@ Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentCon
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index 5f023014c9..be239ea61e 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -2,9 +2,6 @@
title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11)
description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.reviewer:
@@ -44,6 +41,6 @@ Here's how to specify a user-specific configuration file:
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
index 30dccb2ed4..dc1ca15097 100644
--- a/windows/application-management/app-v/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -2,9 +2,6 @@
title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -93,7 +90,7 @@ There are three types of log files that occur when you sequence multiple apps at
- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps.
- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters.
-### Related topics
+### Related articles
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 9273525175..7c980f474e 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -2,9 +2,6 @@
title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -147,7 +144,7 @@ There are three types of log files that occur when you sequence multiple apps at
- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps.
- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the **NewAppVSequencerPackage** cmdlet, including the allowed parameters.
-### Related topics
+### Related articles
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 0edc5463b0..cb417de5f7 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -2,16 +2,13 @@
title: Auto-remove unpublished packages on App-V client (Windows 10/11)
description: How to automatically clean up any unpublished packages on your App-V client devices.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
----
+---
# Automatically clean up unpublished packages on the App-V client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -59,7 +56,7 @@ Using Group Policy, you can turn on the **Enable automatic cleanup of unused App
-## Related topics
+## Related articles
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [Deploying App-V for Windows client](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
index a8a277b8de..90d51b1e29 100644
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@@ -2,9 +2,6 @@
title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -122,7 +119,7 @@ After provisioning your sequencing environment, you must sequence your apps, eit
After you sequence your packages, you can automatically clean up any unpublished packages on the App-V client. To learn more, see [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md).
-### Related topics
+### Related articles
- [Download the **Convert-WindowsImage** tool](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0)
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 0c7aeffe75..1cb2437d69 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -2,9 +2,6 @@
title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11)
description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 8757a55bb9..969926e2ed 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -2,9 +2,6 @@
title: App-V Capacity Planning (Windows 10/11)
description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -192,7 +189,7 @@ Although there are many fault-tolerance strategies and technologies you can use,
-## Related topics
+## Related articles
* [App-V supported configurations](appv-supported-configurations.md)
* [Planning for high availability with App-V](appv-planning-for-high-availability-with-appv.md)
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 25ab412507..df718dd34c 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -2,9 +2,6 @@
title: About Client Configuration Settings (Windows 10/11)
description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index 4496a174b1..e6df891618 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to configure access to packages by using the Management Console (Windows 10/11)
description: How to configure access to packages by using the App-V Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/18/2018
ms.reviewer:
@@ -59,6 +56,6 @@ Use the following procedure to configure access to virtualized packages.
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index 2d597185f7..fea49f61d9 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -2,9 +2,6 @@
title: How to make a connection group ignore the package version (Windows 10/11)
description: Learn how to make a connection group ignore the package version with the App-V Server Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/18/2018
ms.reviewer:
@@ -64,6 +61,6 @@ For more information, see [How to manage App-V packages running on a stand-alone
-## Related topics
+## Related articles
- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
index 6b86fc2b2e..049605ef02 100644
--- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
+++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
@@ -2,9 +2,6 @@
title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11)
description: How to configure the client to receive package and connection groups updates from the publishing server.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to configure the client to receive package and connection groups updates from the publishing server
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -62,6 +60,6 @@ This article will tell you how to configure the App-V client to receive updates
-## Related topics
+## Related article
* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index 06de437d79..253636d464 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -2,9 +2,6 @@
title: How to connect to the Management Console (Windows 10/11)
description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to connect to the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,6 +26,6 @@ Use the following procedure to connect to the App-V Management Console.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md
index 92dc7627d6..8ceb9b6c5f 100644
--- a/windows/application-management/app-v/appv-connection-group-file.md
+++ b/windows/application-management/app-v/appv-connection-group-file.md
@@ -2,9 +2,6 @@
title: About the connection group file (Windows 10/11)
description: A summary of what the connection group file is and how to configure it.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# About the connection group file
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -141,6 +139,6 @@ App-V supports the following application connection configurations.
-## Related topics
+## Related articles
- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index 1329a1cb1a..db04478772 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -2,9 +2,6 @@
title: About the connection group virtual environment (Windows 10/11)
description: Learn how the connection group virtual environment works and how package priority is determined.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
@@ -81,6 +78,6 @@ When a virtualized application tries to find a specific file, App-V will search
-## Related topics
+## Related articles
- [Managing Connection Groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 9f0ed57692..1684f4c3f3 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -2,9 +2,6 @@
title: How to convert a package created in a previous version of App-V (Windows 10/11)
description: Use the package converter utility to convert a virtual application package created in a previous version of App-V.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -89,6 +86,6 @@ The App-V package converter will save the App-V 4.6 installation root folder and
- Other functionality—Windows PowerShell has other built-in functionality for features such as aliases, lazy-binding, .NET Object, and many others. These features can help you create advanced scenarios for the Package Converter.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 9e341e6f82..ee158c7267 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -2,9 +2,6 @@
title: How to create a connection croup with user-published and globally published packages (Windows 10/11)
description: How to create a connection croup with user-published and globally published packages.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -62,6 +59,6 @@ Here are some important things to know before you get started:
-## Related topics
+## Related articles
- [Managing Connection Groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index b4d48a6138..260369d8c3 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -2,9 +2,6 @@
title: How to create a connection group (Windows 10/11)
description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -45,7 +42,7 @@ When you place packages in a connection group, their package root paths merge. I
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
index c8d9b25862..0190e974ef 100644
--- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11)
description: How to create a custom configuration file by using the App-V Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to create a custom configuration file by using the App-V Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -34,6 +32,6 @@ You can create a dynamic user configuration file with the App-V Management Conso
> If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enalbed and set to block downloads, you won't be able to download anything from the App-V Server.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 4a69807fe8..28482df125 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -2,9 +2,6 @@
title: How to create a package accelerator by using Windows PowerShell (Windows 10/11)
description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index c424df0536..3f2be47130 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -2,9 +2,6 @@
title: How to create a package accelerator (Windows 10/11)
description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to create a package accelerator
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -75,7 +73,7 @@ Use the following procedure to create a package accelerator.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
- [How to create a virtual application package using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
index d3785312ee..babfd64cfe 100644
--- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
@@ -2,9 +2,6 @@
title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11)
description: How to create a virtual application package using an App-V Package Accelerator.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to create a virtual application package using an App-V Package Accelerator
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -75,6 +73,6 @@ Use the following procedure to create a virtual application package with the App
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 7bd90c04f0..32aca7fa5e 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -2,9 +2,6 @@
title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11)
description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Create and apply an App-V project template to a sequenced App-V package
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -49,7 +47,7 @@ After creating the template, you can apply it to all of your new virtual app pac
3. Create your new virtual app package. The settings saved with your template are automatically applied.
-### Related topics
+### Related articles
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index b4a7f6d068..5dd5070e14 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -2,9 +2,6 @@
title: Creating and managing App-V virtualized applications (Windows 10/11)
description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -152,6 +149,6 @@ You can also find additional information about sequencing errors using the Windo
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
index 8e4c7d87d1..4b06455581 100644
--- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11)
description: How to customize virtual application extensions for a specific AD group by using the Management Console.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
@@ -36,6 +33,6 @@ Use the following procedure to customize the virtual application extensions for
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 029f29e3c2..13a1040daf 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -2,9 +2,6 @@
title: How to delete a connection group (Windows 10/11)
description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to delete a connection group
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,7 +26,7 @@ Use the following procedure to delete an existing App-V connection group.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index ad05d36d3f..e4df263550 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to delete a package in the Management Console (Windows 10/11)
description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to delete a package in the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,6 +26,6 @@ Use the following procedure to delete an App-V package.
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index 453435774b..9c2e2e8c68 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -2,9 +2,6 @@
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11)
description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to deploy the App-V databases by using SQL scripts
>Applies to: Windows Server 2016
@@ -182,7 +180,7 @@ Steps to install "AppVReporting" schema in SQL SERVER.
-## Related topics
+## Related articles
* [Deploying the App-V Server](appv-deploying-the-appv-server.md)
* [How to deploy the App-V Server](appv-deploy-the-appv-server.md)
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 0100900c31..1c04491cc8 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -1,10 +1,7 @@
---
title: How to deploy App-V packages using electronic software distribution (Windows 10/11)
-description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
+description: Learn how to use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to deploy App-V packages using electronic software distribution
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -44,6 +42,6 @@ Use one of the following methods to publish packages to App-V client computers w
-## Related topics
+## Related articles
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 644dd1343f..0025905016 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -2,9 +2,6 @@
title: How to Deploy the App-V Server Using a Script (Windows 10/11)
description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.'
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to deploy the App-V server using a script
>Applies to: Windows Server 2016
@@ -521,6 +519,6 @@ To use a custom instance of Microsoft SQL Server, use these parameters:
-## Related topics
+## Related articles
* [Deploying the App-V Server](appv-deploying-the-appv-server.md)
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 2008ff70ab..b054a15012 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -2,9 +2,6 @@
title: How to Deploy the App-V Server (Windows 10/11)
description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to Deploy the App-V Server (new installation)
>Applies to: Windows Server 2016
@@ -107,7 +105,7 @@ ms.topic: article
Example: `http://localhost:12345/console.html`. If the installation succeeded, the App-V Management console will display with no errors.
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
* [How to install the management and reporting databases on separate computers from the management and reporting services](appv-install-the-management-and-reporting-databases-on-separate-computers.md)
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index f5b38832b7..8dbb0be4d1 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -2,9 +2,6 @@
title: Deploying App-V (Windows 10/11)
description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,11 +9,12 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying App-V for Windows client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-App-V supports several different deployment options. Review this topic for information about the tasks that you must complete at different stages in your deployment.
+App-V supports several different deployment options. Review this article for information about the tasks that you must complete at different stages in your deployment.
## App-V Deployment Information
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index 3b8a59633f..cf9b704fd3 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -2,9 +2,6 @@
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10/11)
description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying Microsoft Office 2010 by Using App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index d15ea0bd7c..3dff5e4e6f 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -2,9 +2,6 @@
title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11)
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying Microsoft Office 2013 by Using App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index f00ec718f9..657f495e80 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -2,9 +2,6 @@
title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11)
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying Microsoft Office 2016 by using App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -375,7 +373,7 @@ The following table describes the requirements and options for deploying Visio 2
| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office. If you're not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. |
| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods: **To create two different packages and deploy each one to a different group of users**: Create and deploy the following packages: - A package that contains only Office—deploy to computers whose users need only Office. - A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.
**To create only one package for the whole organization, or to create a package intended for users who share computers**: 1. Create a package that contains Office, Visio, and Project. 2. Deploy the package to all users. 3. Use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. |
-## Related topics
+## Related articles
* [Deploying App-V for Windows client](appv-deploying-appv.md)
* [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 9a36b51345..3611a2181c 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -2,9 +2,6 @@
title: Deploying App-V packages by using electronic software distribution (ESD)
description: Deploying App-V packages by using electronic software distribution (ESD)
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying App-V packages by using electronic software distribution (ESD)
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,7 +26,7 @@ To learn more about how to deploy virtualized packages using an ESD, see [How to
To learn how to configure the App-V client to enable only administrators to publish and unpublish packages when you’re using an ESD, see [How to enable only administrators to publish packages by using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md).
-## Related topics
+## Related articles
- [App-V and Citrix integration](https://www.microsoft.com/download/details.aspx?id=40885)
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index 0336c74412..f9634bb42c 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -2,9 +2,6 @@
title: Deploying the App-V Sequencer and configuring the client (Windows 10/11)
description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying the App-V Sequencer and configuring the client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 447af752a5..e425121b5a 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -2,9 +2,6 @@
title: Deploying the App-V Server (Windows 10/11)
description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Deploying the App-V server
>Applies to: Windows Server 2016
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 971998ee44..6daec0a802 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -2,9 +2,6 @@
title: App-V Deployment Checklist (Windows 10/11)
description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# App-V Deployment Checklist
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -31,6 +29,6 @@ This checklist outlines the recommended steps and items to consider when deployi
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 43866694ff..940ef0f90c 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -2,9 +2,6 @@
title: About App-V Dynamic Configuration (Windows 10/11)
description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# About App-V dynamic configuration
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 46d4a0a4fe..7e4ecc2081 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -2,9 +2,6 @@
title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11)
description: How to Enable Reporting on the App-V Client by Using Windows PowerShell
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to Enable Reporting on the App-V Client by Using Windows PowerShell
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -43,7 +41,7 @@ Use the following procedure to configure the App-V for reporting.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index ac9ff40578..337a016044 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -2,9 +2,6 @@
title: Enable the App-V in-box client (Windows 10/11)
description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Enable the App-V in-box client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index 964c753d27..0bfbdf81ed 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -2,9 +2,6 @@
title: Evaluating App-V (Windows 10/11)
description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Evaluating App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -20,7 +16,7 @@ ms.author: aaroncz
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)]
-Before you deploy App-V into a production environment, you should evaluate it in a lab environment. You can use the information in this topic to set up App-V in a lab environment for evaluation purposes only.
+Before you deploy App-V into a production environment, you should evaluate it in a lab environment. You can use the information in this article to set up App-V in a lab environment for evaluation purposes only.
## Configure lab computers for App-V Evaluation
@@ -51,6 +47,6 @@ Use the following links for more information about creating and managing virtual
- [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
-## Related topics
+## Related articles
- [Getting Started with App-V](appv-getting-started.md)
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index bc05a5d4aa..5218e5194d 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -1,10 +1,7 @@
---
title: Application Virtualization (App-V) (Windows 10/11)
-description: See various topics that can help you administer Application Virtualization (App-V) and its components.
+description: See various articles that can help you administer Application Virtualization (App-V) and its components.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Application Virtualization (App-V) for Windows client overview
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -19,7 +17,7 @@ ms.topic: article
> [!NOTE]
> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)]
-The topics in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users.
+The articles in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users.
[Getting started with App-V](appv-getting-started.md)
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 7fd466e9c5..813ac3e0df 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -2,9 +2,6 @@
title: Getting Started with App-V (Windows 10/11)
description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Getting started with App-V for Windows client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index e9865ae8bb..beb7f72afc 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -2,9 +2,6 @@
title: High-level architecture for App-V (Windows 10/11)
description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# High-level architecture for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -32,6 +30,6 @@ A typical App-V implementation consists of the following elements.
>[!NOTE]
>If you are using App-V with electronic software distribution (ESD), you aren't required to use the App-V Management server. However, you can still use App-V's reporting and streaming functionality.
-## Related topics
+## Related articles
- [Getting Started with App-V](appv-getting-started.md)
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index ad8668ac96..7f3634d48b 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -2,9 +2,6 @@
title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11)
description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -141,6 +138,6 @@ Before attempting this procedure, you should read and understand the information
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index 63b3cdcfd2..3f9382ed18 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -2,9 +2,6 @@
title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11)
description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services
>Applies to: Windows Server 2016
@@ -69,13 +67,13 @@ Use the following procedure to install the database server and management server
4. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
> [!NOTE]
- >For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
+ >For more information about modifying the required SIDs contained in the scripts, see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
5. Run the scripts on the computer running Microsoft SQL Server.
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 6a735c487a..ce718b9ce8 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -2,9 +2,6 @@
title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11)
description: How to install the Management Server on a Standalone Computer and Connect it to the Database
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to install the Management Server on a Standalone Computer and Connect it to the Database
>Applies to: Windows Server 2016
@@ -38,6 +36,6 @@ To install the management server on a standalone computer and connect it to the
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index a5d761bf80..2217e93aab 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -2,9 +2,6 @@
title: Install the Publishing Server on a Remote Computer (Windows 10/11)
description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to install the publishing server on a remote computer
>Applies to: Windows Server 2016
@@ -60,6 +58,6 @@ Use the following procedure to install the publishing server on a separate compu
-## Related topics
+## Related articles
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index 40d6a0906b..109695af22 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -2,9 +2,6 @@
title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11)
description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to install the reporting server on a standalone computer and connect it to the database
>Applies to: Windows Server 2016
@@ -42,7 +40,7 @@ Use the following procedure to install the reporting server on a standalone comp
-## Related topics
+## Related articles
* [About App-V reporting](appv-reporting.md)
* [Deploying App-V](appv-deploying-appv.md)
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index f53702ace1..c3f7e5871f 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -2,9 +2,6 @@
title: Install the App-V Sequencer (Windows 10/11)
description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Install the App-V Sequencer
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -56,6 +54,6 @@ For more information regarding the sequencer installation, you can view the erro
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index a6d176cee5..2f7f7198c4 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -2,9 +2,6 @@
title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11)
description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index f09e745825..4920d942b8 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -2,9 +2,6 @@
title: Maintaining App-V (Windows 10/11)
description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Maintaining App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 7a32f99f96..3530f44a72 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -2,9 +2,6 @@
title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11)
description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -21,7 +17,7 @@ An App-V connection group allows you to run all the virtual applications as a de
A connection group XML file defines the connection group for the App-V client. For information about the connection group XML file and how to configure it, see [About the Connection Group File](appv-connection-group-file.md).
-This topic explains the following procedures:
+This article explains the following procedures:
- [To add and publish the App-V packages in the connection group](#to-add-and-publish-the-app-v-packages-in-the-connection-group)
@@ -90,7 +86,7 @@ This topic explains the following procedures:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index a769395ffe..101a4319c9 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -2,9 +2,6 @@
title: Managing Connection Groups (Windows 10/11)
description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Managing Connection Groups
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index 45669bd33e..ffc314ab6a 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -2,9 +2,6 @@
title: Migrating to App-V from a Previous Version (Windows 10/11)
description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Migrating to App-V from previous versions
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -119,7 +115,7 @@ There's no direct method to upgrade to a full App-V infrastructure. Use the info
|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)|
|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)|
|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)|
-|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|
+|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this article.|
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index 86dd8a2e20..73cca93a49 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -2,9 +2,6 @@
title: How to Modify an Existing Virtual Application Package (Windows 10/11)
description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,12 +9,11 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Modify an Existing Virtual Application Package
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-This topic explains how to:
+This article explains how to:
- [Update an application in an existing virtual application package](#update-an-application-in-an-existing-virtual-application-package)
@@ -151,6 +147,6 @@ This topic explains how to:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index e3d8c9c251..ed3b70bd54 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -2,9 +2,6 @@
title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11)
description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Modify Client Configuration by Using Windows PowerShell
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -34,6 +30,6 @@ Use the following procedure to configure the App-V client configuration.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index 011db77850..b54803c5c3 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -2,9 +2,6 @@
title: How to Move the App-V Server to Another Computer (Windows 10/11)
description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to move the App-V server to another computer
**Applies to**
@@ -33,6 +29,6 @@ Follow these steps to create a new management server console:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index 80ba2f4fbd..cc6eb653d1 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -2,9 +2,6 @@
title: Operations for App-V (Windows 10/11)
description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Operations for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index ee185b6c84..16d57ffc8b 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -2,9 +2,6 @@
title: Performance Guidance for Application Virtualization (Windows 10/11)
description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Performance Guidance for Application Virtualization
**Applies to**:
@@ -509,6 +505,6 @@ The following terms are used when describing concepts and actions related to App
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Application Virtualization (App-V) overview](appv-for-windows.md)
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index 0f7bd36c74..4587de5ccf 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -2,9 +2,6 @@
title: App-V Planning Checklist (Windows 10/11)
description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# App-V Planning Checklist
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -34,6 +32,6 @@ This checklist can be used to help you plan for preparing your organization for
-## Related topics
+## Related articles
[Planning for App-V](appv-planning-for-appv.md)
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index a1adab31c4..7e5df34930 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -2,9 +2,6 @@
title: Planning to Use Folder Redirection with App-V (Windows 10/11)
description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning to Use Folder Redirection with App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index 89fad53e83..bb8c0a834a 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -2,9 +2,6 @@
title: Planning for the App-V Server Deployment (Windows 10/11)
description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for the App-V server deployment
>Applies to: Windows Server 2016
@@ -57,7 +55,7 @@ The following table lists server-related protocols used by the App-V servers, an
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
* [Deploying the App-V server](appv-deploying-the-appv-server.md)
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index a0802a654d..1436e5d26f 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -2,9 +2,6 @@
title: Planning for App-V (Windows 10/11)
description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index 770424df0f..b36e523319 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -2,9 +2,6 @@
title: Planning for High Availability with App-V Server
description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for high availability with App-V Server
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -104,6 +102,6 @@ The App-V management server database supports deployments to computers running M
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 152049e1d7..f0cdc63ccc 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -2,9 +2,6 @@
title: Planning for the App-V Sequencer and Client Deployment (Windows 10/11)
description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for the App-V Sequencer and Client Deployment
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -58,7 +56,7 @@ The following list displays some of the benefits of using App-V SCS:
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
-## Related topics
+## Related articles
* [How to install the sequencer](appv-install-the-sequencer.md)
* [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index 9256e08578..e6b05d14bb 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -2,9 +2,6 @@
title: Planning for Deploying App-V with Office (Windows 10/11)
description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning for deploying App-V with Office
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -48,7 +46,7 @@ Before implementing Office coexistence, review the information in the following
|Office 2013|[How to use Office 2013 suites and programs (MSI deployment) on a computer running another version of Office](https://support.microsoft.com/kb/2784668)|
|Office 2010|How to use Office 2010 suites and programs on a computer running another version of Office](https://support.microsoft.com/kb/2121447)|
-Once you've reviewed the relevant guide, this topic will supplement what you've learned with information about Office coexistence that's more specific to App-V deployments.
+Once you've reviewed the relevant guide, this article will supplement what you've learned with information about Office coexistence that's more specific to App-V deployments.
### Supported Office coexistence scenarios
@@ -125,7 +123,7 @@ The Office 2013 or Office 2016 App-V package supports the following integration
|Primary Interop Assemblies|Support managed add-ins|
|Office Document Cache Handler|Allows Document Cache for Office applications|
|Outlook Protocol Search Handler|User can search in Outlook|
-|Active X Controls|For more information on ActiveX controls, refer to [ActiveX Control API Reference]().|
+|Active X Controls|For more information on ActiveX controls, see [ActiveX Control API Reference]().|
|OneDrive Pro Icon Overlays|Windows Explorer shell icon overlays when users look at folders OneDrive Pro folders|
|Shell extensions||
|Shortcuts||
@@ -135,7 +133,7 @@ The Office 2013 or Office 2016 App-V package supports the following integration
-## Related topics
+## Related articles
* [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
* [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index bdc2bee038..0058f4790c 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -2,9 +2,6 @@
title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10/11)
description: Planning to Deploy App-V with an Electronic Software Distribution System
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning to Deploy App-V with an electronic software distribution system
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -29,7 +27,7 @@ Review the following component and architecture requirements options that apply
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
* [How to deploy App-V packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index e25bc08e0a..2961ee7c7a 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -2,9 +2,6 @@
title: Planning to Deploy App-V (Windows 10/11)
description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,11 +9,12 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Planning to Deploy App-V for Windows client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-There are several different deployment configurations and requirements to consider before you deploy App-V for Windows client. Review this topic for information about what you'll need to make a deployment plan that best meets your needs.
+There are several different deployment configurations and requirements to consider before you deploy App-V for Windows client. Review this article for information about what you'll need to make a deployment plan that best meets your needs.
## App-V supported configurations
diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md
index 09fe0eccc9..d79827a41c 100644
--- a/windows/application-management/app-v/appv-preparing-your-environment.md
+++ b/windows/application-management/app-v/appv-preparing-your-environment.md
@@ -1,9 +1,6 @@
---
title: Preparing Your Environment for App-V (Windows 10/11)
description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V).
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Preparing your environment for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index d6eef22450..ec9b2e4fc1 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -2,9 +2,6 @@
title: App-V Prerequisites (Windows 10/11)
description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
@@ -161,7 +158,7 @@ What to know before installing the prerequisites:
|[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)|Installing Windows PowerShell 3.0 requires a restart.|
|[KB2533623](https://support.microsoft.com/kb/2533623)|Applies to Windows 7 only: download and install the KB.|
-## Related topics
+## Related articles
* [Planning for App-V](appv-planning-for-appv.md)
* [App-V Supported Configurations](appv-supported-configurations.md)
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index 07b139cee1..bd948491e4 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -2,9 +2,6 @@
title: How to Publish a Connection Group (Windows 10/11)
description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to Publish a Connection Group
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -28,7 +26,7 @@ After you create a connection group, you must publish it to computers that run t
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
* [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index 9ed80f4563..a116987714 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to publish a package by using the Management console (Windows 10/11)
description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# How to publish a package by using the Management console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -43,7 +41,7 @@ Use the following procedure to publish an App-V package. Once you publish a pack
-## Related topics
+## Related articles
* [Operations for App-V](appv-operations.md)
* [How to configure access to packages by using the Management console](appv-configure-access-to-packages-with-the-management-console.md)
diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
index ba6d7dad1f..99f10bfe36 100644
--- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11)
description: How to Register and Unregister a Publishing Server by Using the Management Console
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Register and Unregister a Publishing Server by Using the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -43,6 +39,6 @@ Use the following procedure to register or unregister a publishing server.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index 44a6c6ec5c..8ffcdfb10f 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -2,9 +2,6 @@
title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11)
description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Release Notes for App-V for Windows 10 version 1703 and later
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -108,7 +104,7 @@ For information that can help with troubleshooting App-V for Windows client, see
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
- [What's new in App-V for Windows client](appv-about-appv.md)
- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index 5d42b2690d..3cdbf4b20c 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -2,9 +2,6 @@
title: Release Notes for App-V for Windows 10, version 1607 (Windows 10)
description: A list of known issues and workarounds for App-V running on Windows 10, version 1607.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index cee9484018..2ca67c8695 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -2,9 +2,6 @@
title: About App-V Reporting (Windows 10/11)
description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# About App-V reporting
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -212,7 +210,7 @@ You should also ensure that the reporting server web service’s **Maximum Concu
-## Related topics
+## Related articles
* [Deploying the App-V server](appv-deploying-the-appv-server.md)
* [How to install the reporting server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md)
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index 8f37e1c8d1..3237fd2de8 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -2,9 +2,6 @@
title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11)
description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 03/08/2018
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
**Applies to**
@@ -135,7 +131,7 @@ If you don’t know the exact name of your package, use the command line `Get-Ap
This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running.
-## Related topics
+## Related articles
[Technical Reference for App-V](appv-technical-reference.md)
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index 4c9e36326a..5edc3a1207 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -2,9 +2,6 @@
title: App-V Security Considerations (Windows 10/11)
description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
@@ -12,11 +9,12 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# App-V security considerations
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
+This article contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
>[!IMPORTANT]
>App-V isn't a security product and doesn't provide any guarantees for a secure environment.
@@ -70,6 +68,6 @@ The following information will help you plan how to ensure that virtualized pack
During App-V setup, setup log files are created in the **%temp%** folder of the installing user.
-## Related topics
+## Related articles
[Preparing Your Environment for App-V](appv-preparing-your-environment.md)
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index a373a054fb..5a9c710587 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -2,9 +2,6 @@
title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer)
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -212,7 +210,7 @@ Starting with Windows 10 version 1607, the App-V Sequencer is included with the
>After you have successfully created a virtual application package, you can't run the virtual application package on the computer that is running the sequencer.
-## Related topics
+## Related articles
- [Install the App-V Sequencer](appv-install-the-sequencer.md)
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 7bf6811af5..6b99b11b7d 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -2,9 +2,6 @@
title: How to sequence a package by using Windows PowerShell (Windows 10/11)
description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Sequence a Package by using Windows PowerShell
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -25,7 +21,7 @@ Use the following procedure to create a new App-V package using Windows PowerShe
**To create a new virtual application by using Windows PowerShell**
-1. Install the App-V sequencer. For more information about installing the sequencer see [How to Install the Sequencer](appv-install-the-sequencer.md).
+1. Install the App-V sequencer. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
2. Click **Start** and type **Windows PowerShell**. Right-click **Windows PowerShell**, and select **Run as Administrator**.
@@ -67,7 +63,7 @@ Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `up
> [!IMPORTANT]
> If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template.
-## Related topics
+## Related articles
- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index 0214e455b2..071879bc7c 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -2,9 +2,6 @@
title: App-V Supported Configurations (Windows 10/11)
description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
@@ -12,6 +9,7 @@ manager: dougeby
ms.author: aaroncz
ms.topic: article
---
+
# App-V Supported Configurations
**Applies to**:
@@ -24,7 +22,7 @@ ms.topic: article
- Windows Server 2012
- Windows Server 2008 R2 (Extended Security Update)
-This topic specifies the requirements to install and run App-V in your Windows client environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md).
+This article specifies the requirements to install and run App-V in your Windows client environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md).
## App-V Server system requirements
@@ -123,7 +121,7 @@ See the Windows or Windows Server documentation for the hardware requirements.
The App-V client works with Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606.
-## Related topics
+## Related articles
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
* [App-V prerequisites](appv-prerequisites.md)
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index 36c6a128fb..786dc0acb1 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -2,9 +2,6 @@
title: Technical Reference for App-V (Windows 10/11)
description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V).
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Technical Reference for App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
index 69dd653179..54322edfa1 100644
--- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11)
description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -33,6 +29,6 @@ Use the following procedure to transfer the access and default package configura
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index f61d909a07..d5444ae7ab 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -1,10 +1,7 @@
---
title: Troubleshooting App-V (Windows 10/11)
-description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics.
+description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V articles.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Troubleshooting App-V
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index 792fd16cb7..d8687a7cf5 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -2,9 +2,6 @@
title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11)
description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index 33d519b976..c7ece16ed1 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -2,9 +2,6 @@
title: Using the App-V Client Management Console (Windows 10/11)
description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,12 +9,11 @@ manager: dougeby
ms.author: aaroncz
---
-
# Using the App-V Client Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
-This topic provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
+This article provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
## Options for managing the App-V client
@@ -60,6 +56,6 @@ The client management console contains the following described main tabs.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
index 5c8b1a7cad..c3742fa2f9 100644
--- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
@@ -2,9 +2,6 @@
title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11)
description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@@ -37,6 +33,6 @@ Use the following procedure to view and configure default package extensions.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index ec8fc27864..b74ad51647 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -2,9 +2,6 @@
title: Viewing App-V Server Publishing Metadata (Windows 10/11)
description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -12,7 +9,6 @@ manager: dougeby
ms.author: aaroncz
---
-
# Viewing App-V Server Publishing Metadata
**Applies to**
@@ -95,6 +91,6 @@ In your publishing metadata query, enter the string values that correspond to th
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[Technical Reference for App-V](appv-technical-reference.md)
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 1e1bd53e0d..ba0a92dcf7 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index b9d63a3d9c..d85b5ea89f 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -8,7 +8,6 @@ ms.reviewer:
manager: dougeby
ms.topic: article
ms.prod: w10
-keywords: windows 10, uwp, enterprise, background task, resources
---
# Remove background task resource restrictions
diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md
index 477c2848c0..17dace9c69 100644
--- a/windows/application-management/includes/app-v-end-life-statement.md
+++ b/windows/application-management/includes/app-v-end-life-statement.md
@@ -3,7 +3,6 @@ author: aczechowski
ms.author: aaroncz
ms.date: 09/20/2021
ms.reviewer:
-audience: itpro
manager: dougeby
ms.prod: w10
ms.topic: include
diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md
index 771c441905..7cb153ddb7 100644
--- a/windows/application-management/includes/applies-to-windows-client-versions.md
+++ b/windows/application-management/includes/applies-to-windows-client-versions.md
@@ -3,7 +3,6 @@ author: aczechowski
ms.author: aaroncz
ms.date: 09/28/2021
ms.reviewer:
-audience: itpro
manager: dougeby
ms.prod: w10
ms.topic: include
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index b602dd6fa0..122ffdd4f1 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -3,10 +3,7 @@ title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/
description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises.
ms.reviewer:
manager: dougeby
-keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
@@ -34,7 +31,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
1. Download the FOD .cab file:
- [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab)
- - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
+ - [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab)
- [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab)
- [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
@@ -102,6 +99,6 @@ In the following example, the **Id** can be any generated GUID and the **Name**
```
-## Related topics
+## Related articles
- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 58a6ac7e49..4657bd8ea3 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -2,9 +2,6 @@
title: Per-user services in Windows 10 and Windows Server
description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.date: 09/14/2017
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index f41a49eb16..17fe815f82 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -1,14 +1,10 @@
---
title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs
description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices.
-ms.assetid:
manager: dougeby
ms.author: aaroncz
ms.reviewer: amanh
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.date: 09/15/2021
ms.localizationpriority: medium
diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md
index 67850b66e7..c155a0e790 100644
--- a/windows/application-management/provisioned-apps-windows-client-os.md
+++ b/windows/application-management/provisioned-apps-windows-client-os.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 88a88de355..d05b8db3c7 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -2,8 +2,6 @@
title: How to keep apps removed from Windows 10 from returning during an update
description: How to keep provisioned apps that were removed from your machine from returning during an update.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.author: aaroncz
author: aczechowski
ms.date: 05/25/2018
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index b166f06efd..0e20c16ba3 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -1,14 +1,10 @@
---
title: Sideload LOB apps in Windows client OS | Microsoft Docs
description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device.
-ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.localizationpriority: medium
---
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 6158870fa4..7fe5fa1c05 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -2,9 +2,6 @@
title: Service Host service refactoring in Windows 10 version 1703
description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.date: 07/20/2017
diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md
index 5b41691ed9..89689b0d06 100644
--- a/windows/application-management/system-apps-windows-client-os.md
+++ b/windows/application-management/system-apps-windows-client-os.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index dd92af8c4f..817cffb7c0 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -2,11 +2,11 @@
title: Advanced troubleshooting for Windows boot problems
description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
-ms.sitesec: library
-author: aczechowski
+ms.technology: windows
ms.localizationpriority: medium
+ms.date: 06/02/2022
+author: aczechowski
ms.author: aaroncz
-ms.date: 11/16/2018
ms.reviewer:
manager: dougeby
ms.topic: troubleshooting
@@ -15,16 +15,15 @@ ms.collection: highpri
# Advanced troubleshooting for Windows boot problems
-
Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues
+
Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues.
> [!NOTE]
-> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
+> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5).
## Summary
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
-
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
@@ -32,31 +31,21 @@ There are several reasons why a Windows-based computer may have problems during
| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | |
-**1. PreBoot**
+1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
-The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
+2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
-**2. Windows Boot Manager**
+3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
-Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
+4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
-**3. Windows operating system loader**
-
-Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
-
-**4. Windows NT OS Kernel**
-
-The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
-
-The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
-
-Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
-
-
-[Click to enlarge](img-boot-sequence.md)
+ The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
+
+Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger.
+:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png":::
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
@@ -69,7 +58,6 @@ Each phase has a different approach to troubleshooting. This article provides tr
>
> `Bcdedit /set {default} bootmenupolicy legacy`
-
## BIOS phase
To determine whether the system has passed the BIOS phase, follow these steps:
@@ -86,26 +74,25 @@ To determine whether the system has passed the BIOS phase, follow these steps:
If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase:
-- Boot Configuration Data (BCD) missing or corrupted
-- Boot file or MBR corrupted
-- Operating system Missing
-- Boot sector missing or corrupted
-- Bootmgr missing or corrupted
-- Unable to boot due to system hive missing or corrupted
-
-To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
+- Boot Configuration Data (BCD) missing or corrupted
+- Boot file or MBR corrupted
+- Operating system Missing
+- Boot sector missing or corrupted
+- Bootmgr missing or corrupted
+- Unable to boot due to system hive missing or corrupted
+To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods.
### Method 1: Startup Repair tool
The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
-To do this task of invoking the Startup Repair tool, follow these steps.
+To do this task of invoking the Startup Repair tool, follow these steps.
> [!NOTE]
-> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
+> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre).
-1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
+1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
@@ -117,28 +104,26 @@ To do this task of invoking the Startup Repair tool, follow these steps.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
-**%windir%\System32\LogFiles\Srt\Srttrail.txt**
-
-
-For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
+`%windir%\System32\LogFiles\Srt\Srttrail.txt`
+For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad).
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
-```console
+```command
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
-```console
+```command
BOOTREC /FIXBOOT
```
> [!NOTE]
-> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
+> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem.
### Method 3: Fix BCD errors
@@ -146,15 +131,15 @@ If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this step, run the following command:
- ```console
+ ```command
Bootrec /ScanOS
```
2. Restart the computer to check whether the problem is fixed.
3. If the problem isn't fixed, run the following commands:
-
- ```console
+
+ ```command
bcdedit /export c:\bcdbackup
attrib c:\boot\bcd -r -s -h
@@ -172,128 +157,116 @@ If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive
1. At a command prompt, change the directory to the System Reserved partition.
-2. Run the **attrib** command to unhide the file:
+2. Run the `attrib` command to unhide the file:
- ```console
+ ```command
attrib -r -s -h
```
3. Navigate to the system drive and run the same command:
- ```console
+ ```command
attrib -r -s -h
```
-4. Rename the Bootmgr file as Bootmgr.old:
+4. Rename the `bootmgr` file as `bootmgr.old`:
- ```console
+ ```command
ren c:\bootmgr bootmgr.old
```
5. Navigate to the system drive.
-6. Copy the Bootmgr file, and then paste it to the System Reserved partition.
+6. Copy the `bootmgr` file, and then paste it to the System Reserved partition.
7. Restart the computer.
-### Method 5: Restore System Hive
+### Method 5: Restore system hive
-If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
+If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`.
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
-> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder)
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples:
-- A Stop error appears after the splash screen (Windows Logo screen).
+- A Stop error appears after the splash screen (Windows Logo screen).
-- Specific error code is displayed.
+- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`.
+ - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
+ - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
- For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
+- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
-- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
-
-- A black screen appears after the splash screen.
+- A black screen appears after the splash screen.
To troubleshoot these problems, try the following recovery boot options one at a time.
-**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration**
+### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration
On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
-1. Use one of the following methods to open Event Viewer:
+1. Use one of the following methods to open Event Viewer:
- - Click **Start**, point to **Administrative Tools**, and then click
- **Event Viewer**.
+ - Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**.
- - Start the Event Viewer snap-in in Microsoft Management Console (MMC).
+ - Start the Event Viewer snap-in in Microsoft Management Console (MMC).
-2. In the console tree, expand Event Viewer, and then click the log that you
- want to view. For example, click **System log** or **Application log**.
+2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**.
-3. In the details pane, double-click the event that you want to view.
+3. In the details pane, open the event that you want to view.
-4. On the **Edit** menu, click **Copy**, open a new document in the program in
- which you want to paste the event (for example, Microsoft Word), and then
- click **Paste**.
-
-5. Use the Up Arrow or Down Arrow key to view the description of the previous
- or next event.
+4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**.
+5. Use the up arrow or down arrow key to view the description of the previous or next event.
### Clean boot
-To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
+To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party.
Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
-For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
+For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
-[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
+[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
>
> This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
-
-**Examples**
+#### Examples
> [!WARNING]
-> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
-problems can be solved. Modify the registry at your own risk.
+> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
To troubleshoot this Stop error, follow these steps to filter the drivers:
-1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
+1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
-2. Open the registry.
+2. Open the registry.
-3. Load the system hive, and name it as "test."
+3. Load the system hive, and name it **test**.
-4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:
-
- **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**
-
-5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
+4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers:
-6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
+ `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class`
-7. Restart the server in Normal mode.
+5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data.
-For more troubleshooting steps, see the following articles:
+6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive.
-- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
+7. Restart the server in Normal mode.
+
+For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md).
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
@@ -301,16 +274,15 @@ To fix problems that occur after you install Windows updates, check for pending
2. Run the command:
- ```console
+ ```command
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
- ```console
+ ```command
DISM /image:C:\ /remove-package /packagename: name of the package
- ```
- ```console
+
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
@@ -318,72 +290,67 @@ To fix problems that occur after you install Windows updates, check for pending
If the computer doesn't start, follow these steps:
-1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
+1. Open a command prompt window in WinRE, and start a text editor, such as Notepad.
-2. Navigate to the system drive, and search for windows\winsxs\pending.xml.
+2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`.
-3. If the Pending.xml file is found, rename the file as Pending.xml.old.
+3. If the pending.xml file is found, rename the file as `pending.xml.old`.
-4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
+4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test.
-5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
+5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value.
-6. If the **pendingxmlidentifier** value exists, delete the value.
+6. If the `pendingxmlidentifier` value exists, delete it.
-7. Unload the test hive.
+7. Unload the test hive.
-8. Load the system hive, name it as "test".
+8. Load the system hive, name it **test**.
-9. Navigate to the following subkey:
-
- **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**
-
-10. Change the **Start** value from **1** to **4**
+9. Navigate to the following subkey:
+
+ `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller`
+
+10. Change the **Start** value from `1` to `4`.
11. Unload the hive.
12. Try to start the computer.
-If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
+If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md).
-- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
+For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md).
-For more information about page file problems in Windows 10 or Windows Server 2016, see the following article:
-- [Introduction to page files](./introduction-page-file.md)
+For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md).
-For more information about Stop errors, see the following Knowledge Base article:
-- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
+Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines:
-
-If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
-
-- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
+- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- - To do this, open WinRE, open a command prompt, and then run the following command:
+ - To do this action, open WinRE, open a command prompt, and then run the following command:
- ```console
- SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
- ```
+ ```command
+ SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
+ ```
- For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
+ For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues).
- - If there's disk corruption, run the check disk command:
+ - If there's disk corruption, run the check disk command:
- ```console
- chkdsk /f /r
- ```
+ ```command
+ chkdsk /f /r
+ ```
- - If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
+- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
- 1. Start WinRE, and open a Command Prompt window.
- 2. Start a text editor, such as Notepad.
- 3. Navigate to C:\Windows\System32\Config\.
- 4. Rename the all five hives by appending ".old" to the name.
- 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
+ 1. Start WinRE, and open a command prompt window.
+ 2. Start a text editor, such as Notepad.
+ 3. Navigate to `C:\Windows\System32\Config\`.
+ 4. Rename the all five hives by appending `.old` to the name.
+ 5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode.
> [!NOTE]
-> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
deleted file mode 100644
index 6ce343dade..0000000000
--- a/windows/client-management/img-boot-sequence.md
+++ /dev/null
@@ -1,17 +0,0 @@
----
-title: Boot sequence flowchart
-description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
-ms.date: 11/16/2018
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-author: dansimp
-ms.topic: article
-ms.prod: w10
----
-
-# Boot sequence flowchart
-
-Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-
-
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index cc38c493dd..0f27f3d1d1 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -1,140 +1,136 @@
---
title: Manage Windows 10 in your organization - transitioning to modern management
-description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
-keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
+description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: devices
-author: dansimp
ms.localizationpriority: medium
-ms.date: 04/26/2018
+ms.date: 06/03/2022
+author: aczechowski
+ms.author: aaroncz
ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
+manager: dougeby
+ms.topic: overview
---
# Manage Windows 10 in your organization - transitioning to modern management
Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
-Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist.
+Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
-Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
+Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
- >[!NOTE]
- >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
+> [!NOTE]
+> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
-This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
+This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
-- [Deployment and Provisioning](#deployment-and-provisioning)
+- [Deployment and Provisioning](#deployment-and-provisioning)
-- [Identity and Authentication](#identity-and-authentication)
+- [Identity and Authentication](#identity-and-authentication)
-- [Configuration](#settings-and-configuration)
+- [Configuration](#settings-and-configuration)
-- [Updating and Servicing](#updating-and-servicing)
+- [Updating and Servicing](#updating-and-servicing)
## Reviewing the management options with Windows 10
Windows 10 offers a range of management options, as shown in the following diagram:
-
+:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
-## Deployment and Provisioning
+## Deployment and provisioning
-With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can:
+With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
-- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
+- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
-- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
+- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
-- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
+You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
-You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+## Identity and authentication
-## Identity and Authentication
-
-You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
-- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- - For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+ - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
- - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
+ Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
-- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
- With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
+ - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- - Single sign-on to cloud and on-premises resources from everywhere
+- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
- - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview)
+ With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
- - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
+ - Single sign-on to cloud and on-premises resources from everywhere
- - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
+ - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable)
- - Windows Hello
+ - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
- Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy.
+ - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
+
+ - Windows Hello
+
+ Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview).
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
-
+:::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png":::
-## Settings and Configuration
+## Settings and configuration
-Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
+Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
-**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
+**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
-**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
+**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices:
-- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
+- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows.
-- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
+- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
+## Updating and servicing
-## Updating and Servicing
+With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
-With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
-
-MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
+MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
## Next steps
There are various steps you can take to begin the process of modernizing device management in your organization:
-**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
+**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune.
**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
-**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
+**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md).
+**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles:
-**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
+- [Co-management for Windows devices](/mem/configmgr/comanage/overview)
+- [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10)
+- [Switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads)
+- [Co-management dashboard in Configuration Manager](/mem/configmgr/comanage/how-to-monitor)
-- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview)
-- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare)
-- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads)
-- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard)
+## Related articles
-## Related topics
-
-- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
-- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
-- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)
+- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
+- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md)
+- [Windows 10 configuration service providers](./mdm/configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 4c10dc0ad9..6e1bc0d9c6 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -13,6 +13,17 @@ ms.date: 06/22/2021
# Language Pack Management CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Windows SE|No|Yes|
+|Business|No|No|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
@@ -81,3 +92,7 @@ The Language Pack Management CSP allows a direct way to provision languages remo
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 7be2cf47f8..b55a87941f 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement CSP
-
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
> [!NOTE]
@@ -41,7 +40,9 @@ Interior node.
**UserProfileManagement/EnableProfileManager**
Enable profile lifetime management for shared or communal device scenarios. Default value is false.
-Supported operations are Add, Get, Replace, and Delete. Value type is bool.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is bool.
**UserProfileManagement/DeletionPolicy**
Configures when profiles will be deleted. Default value is 1.
@@ -52,19 +53,29 @@ Valid values:
- 1 - delete at storage capacity threshold
- 2 - delete at both storage capacity threshold and profile inactivity threshold
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is integer.
**UserProfileManagement/StorageCapacityStartDeletion**
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is integer.
**UserProfileManagement/StorageCapacityStopDeletion**
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is integer.
**UserProfileManagement/ProfileInactivityThreshold**
Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index c4c26237bc..51380b7ed8 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
@@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803.
false
- Enable profile lifetime mangement for shared or communal device scenarios.
+ Enable profile lifetime management for shared or communal device scenarios.
@@ -198,3 +197,7 @@ The XML below is for Windows 10, version 1803.
```
+
+## Related topics
+
+[AccountManagement configuration service provider](accountmanagement-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index badfb5ccd9..95689e3b8f 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -11,15 +11,24 @@ ms.reviewer:
manager: dansimp
---
-# Accounts Configuration Service Provider
+# Accounts CSP
+The table below shows the applicability of Windows:
-The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later.
The following syntax shows the Accounts configuration service provider in tree format.
-```
+```console
./Device/Vendor/MSFT
Accounts
----Domain
@@ -55,10 +64,10 @@ Supported operation is Add.
Interior node for the user account information.
**Users/_UserName_**
-This node specifies the username for a new local user account. This setting can be managed remotely.
+This node specifies the username for a new local user account. This setting can be managed remotely.
**Users/_UserName_/Password**
-This node specifies the password for a new local user account. This setting can be managed remotely.
+This node specifies the password for a new local user account. This setting can be managed remotely.
Supported operation is Add.
GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager.
@@ -67,3 +76,7 @@ GET operation isn't supported. This setting will report as failed when deployed
This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
Supported operation is Add.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
index 9d91061818..e522821656 100644
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Accounts DDF file
-description: XML file containing the device description framework (DDF) for the Accounts configuration service provider.
+description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -11,12 +11,11 @@ ms.reviewer:
manager: dansimp
---
-# Accounts CSP
-
+# Accounts DDF file
This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider.
-The XML below is for Windows 10, version 1803.
+The XML below is for Windows 10, version 1803 and later.
```xml
@@ -157,7 +156,7 @@ The XML below is for Windows 10, version 1803.
1
- This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
+ This optional node specifies the local user group that a local user account should be joined. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
@@ -177,3 +176,7 @@ The XML below is for Windows 10, version 1803.
```
+
+## Related topics
+
+[Accounts configuration service provider](accounts-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index 307391743a..7215d94d6e 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -14,23 +14,31 @@ ms.date: 06/26/2017
# ActiveSync CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported.
> [!NOTE]
-> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
+> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
-On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
+On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in.
-The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
-
-
+The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term.
The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
-```
+```console
./Vendor/MSFT
ActiveSync
----Accounts
@@ -66,13 +74,11 @@ ActiveSync
The root node for the ActiveSync configuration service provider.
> [!NOTE]
-> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
+> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
-On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
+On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
-The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
-
-
+The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term.
The supported operation is Get.
@@ -264,7 +270,6 @@ Required. A character string that specifies the name of the content type.
> [!NOTE]
> In Windows 10, this node is currently not working.
-
Supported operations are Get, Replace, and Add (can't Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
@@ -275,7 +280,9 @@ Node for mail body type and email age filter.
**Policies/MailBodyType**
Required. Specifies the email body type: HTML or plain.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**Policies/MaxMailAgeFilter**
Required. Specifies the time window used for syncing mail items to the device.
@@ -284,7 +291,6 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index dae70c2133..1b592ff96e 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# ActiveSync DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -533,7 +532,7 @@ The XML below is the current version for this CSP.
- Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}
+ Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}
@@ -679,15 +678,4 @@ The XML below is the current version for this CSP.
## Related topics
-
[ActiveSync configuration service provider](activesync-csp.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md
index de7482b72d..589580af1a 100644
--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@@ -14,21 +14,18 @@ ms.date: 06/26/2017
# AllJoynManagement CSP
-
-The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
+The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (`com.microsoft.alljoynmanagement.config`). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> [!NOTE]
> The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
-
-
-For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
+For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
The following example shows the AllJoynManagement configuration service provider in tree format
-```
+```console
./Vendor/MSFT
AllJoynManagement
----Configurations
@@ -64,7 +61,7 @@ The following list describes the characteristics and parameters.
The root node for the AllJoynManagement configuration service provider.
**Services**
-List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
+List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "`com.microsoft.alljoynmanagement.config`" are included.
**Services/***Node name*
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
@@ -81,7 +78,7 @@ The set of configurable interfaces that are available on the port of the AllJoyn
**Services/*Node name*/Port/*Node name*/CfgObject/***Node name*
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
-For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
+For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "`\\FabrikamService\\BridgeConfig`" would be specified in the URI as: `%2FFabrikamService%2FBridgeConfig`.
**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
@@ -105,7 +102,6 @@ Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enable
## Examples
-
Set adapter configuration
```xml
@@ -167,7 +163,9 @@ Get the firewall PrivateProfile
```
-
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md
index 77494eaf9f..961f8f1183 100644
--- a/windows/client-management/mdm/alljoynmanagement-ddf.md
+++ b/windows/client-management/mdm/alljoynmanagement-ddf.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# AllJoynManagement DDF
-
This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -238,7 +237,7 @@ It is typically implemented as a GUID.
- An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard
+ An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard.
@@ -328,15 +327,4 @@ It is typically implemented as a GUID.
## Related topics
-
[AllJoynManagement configuration service provider](alljoynmanagement-csp.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md
index 728e4dcda3..700e422e49 100644
--- a/windows/client-management/mdm/application-csp.md
+++ b/windows/client-management/mdm/application-csp.md
@@ -1,5 +1,5 @@
---
-title: APPLICATION configuration service provider
+title: APPLICATION CSP
description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
@@ -12,16 +12,28 @@ author: dansimp
ms.date: 06/26/2017
---
-# APPLICATION configuration service provider
+# APPLICATION CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
-OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports.
+OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider.
-- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
+The following list shows the supported transports:
-- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
+- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md).
+
+- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md).
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
@@ -29,15 +41,5 @@ For the device to decode correctly, provisioning XML that contains the APPLICATI
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index 5c44ba2dc1..2c91bf430b 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -11,13 +11,10 @@ ms.date: 07/10/2019
# ApplicationControl CSP DDF
-
This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-### ApplicationControl CSP
-
```xml
- Root Node of the ApplicationControl CSP
+ Root Node of the ApplicationControl CSP.
@@ -73,7 +70,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- The GUID of the Policy
+ The GUID of the Policy.
@@ -97,7 +94,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- The policy binary encoded as base64
+ The policy binary encoded as base64.
@@ -119,7 +116,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- Information Describing the Policy indicated by the GUID
+ Information Describing the Policy indicated by the GUID.
@@ -140,7 +137,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type
+ Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type.
@@ -162,7 +159,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)
+ Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect).
@@ -184,7 +181,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)
+ Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).
@@ -206,7 +203,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system
+ Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system.
@@ -228,7 +225,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- The Current Status of the Policy Indicated by the Policy GUID
+ The Current Status of the Policy Indicated by the Policy GUID.
@@ -250,7 +247,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- The FriendlyName of the Policy Indicated by the Policy GUID
+ The FriendlyName of the Policy Indicated by the Policy GUID.
@@ -271,4 +268,8 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
-```
\ No newline at end of file
+```
+
+## Related topics
+
+[ApplicationControl configuration service provider](applicationcontrol-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index d18a0ebd70..02eb0f514c 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -13,12 +13,24 @@ ms.date: 09/10/2020
# ApplicationControl CSP
-Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and hence doesn't schedule a reboot.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
+
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The following example shows the ApplicationControl CSP in tree format.
-```
+```console
./Vendor/MSFT
ApplicationControl
----Policies
@@ -43,6 +55,7 @@ ApplicationControl
----TenantID
----DeviceID
```
+
**./Vendor/MSFT/ApplicationControl**
Defines the root node for the ApplicationControl CSP.
@@ -73,7 +86,7 @@ An interior node that contains the nodes that describe the policy indicated by t
Scope is dynamic. Supported operation is Get.
**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version**
-This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type.
+This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type.
Scope is dynamic. Supported operation is Get.
@@ -113,7 +126,7 @@ The following table provides the result of this policy based on different values
|IsAuthorized | IsDeployed | IsEffective | Resultant |
|------------ | ---------- | ----------- | --------- |
-|True|True|True|Policy is currently running and in effect.|
+|True|True|True|Policy is currently running and is in effect.|
|True|True|False|Policy requires a reboot to take effect.|
|True|False|True|Policy requires a reboot to unload from CI.|
|False|True|True|Not Reachable.|
@@ -122,14 +135,14 @@ The following table provides the result of this policy based on different values
|False|False|True|Not Reachable.|
|False|False|False|*Not Reachable.|
-\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
+\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail.
**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
Scope is dynamic. Supported operation is Get.
-Value type is integer. Default value is 0 == OK.
+Value type is integer. Default value is 0 = OK.
**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName**
This node provides the friendly name of the policy indicated by the policy GUID.
@@ -140,15 +153,15 @@ Value type is char.
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
-For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
+For customers using Intune standalone or hybrid management with Microsoft Endpoint Manager Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
In order to use the ApplicationControl CSP without using Intune, you must:
1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems.
-2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
-3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool.
+2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the `certutil -encode` command-line tool.
Below is a sample certutil invocation:
@@ -293,8 +306,8 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi
### Setup for using the WMI Bridge
-1. Convert your WDAC policy to Base64
-2. Open PowerShell in Local System context (through PSExec or something similar)
+1. Convert your WDAC policy to Base64.
+2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:
```powershell
@@ -315,4 +328,8 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa
```powershell
Get-CimInstance -Namespace $namespace -ClassName $policyClassName
-```
\ No newline at end of file
+```
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 4d6a2a787f..3785ca1b3c 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -14,6 +14,16 @@ ms.date: 11/19/2019
# AppLocker CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.
@@ -74,13 +84,11 @@ Defines restrictions for applications.
> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
-
+>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
> [!NOTE]
-> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
-
-Additional information:
+> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
@@ -96,14 +104,14 @@ Supported operations are Get, Add, Delete, and Replace.
**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
-Data type is string.
+Data type is string.
Supported operations are Get, Add, Delete, and Replace.
**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
-The data type is a string.
+The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
@@ -206,22 +214,25 @@ Data type is Base64.
Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
-> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
+> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
**AppLocker/EnterpriseDataProtection**
-Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
+Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
You can set the allowed list using the following URI:
+
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy
You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner:
+
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy
Exempt examples:
+
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy
@@ -259,15 +270,15 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
-1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
-2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
+1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
+2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
The **Device Portal** page opens on your browser.
-3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
-4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
+3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
+4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
@@ -279,7 +290,7 @@ The following table shows the mapping of information to the AppLocker publisher
|Device portal data|AppLocker publisher rule field|
|--- |--- |
-|PackageFullName|ProductName
The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
+|PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|Publisher|Publisher|
|Version|Version
The version can be used either in the HighSection or LowSection of the BinaryVersionRange.
HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
@@ -293,13 +304,13 @@ Here's an example AppLocker publisher rule:
You can get the publisher name and product name of apps using a web API.
-**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
+**To find publisher and product name for Microsoft apps in Microsoft Store for Business:**
-1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
+1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**.
-3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
+3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
Request URI:
@@ -359,17 +370,13 @@ The product name is first part of the PackageFullName followed by the version nu
| SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 |
-
## Inbox apps and components
-
The following list shows the apps that may be included in the inbox.
> [!NOTE]
> This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
-
-
|App|Product ID|Product name|
|--- |--- |--- |
|3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)|
@@ -1277,6 +1284,7 @@ The following example for Windows 10 Holographic for Business denies all apps an
```
## Recommended blocklist for Windows Information Protection
+
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
In this example, Contoso is the node name. We recommend using a GUID for this node.
@@ -1460,5 +1468,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index 7bde68650f..2f322128e5 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# AppLocker DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -672,15 +671,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
## Related topics
-
-[AppLocker configuration service provider](applocker-csp.md)
-
-
-
-
-
-
-
-
-
-
+[AppLocker configuration service provider](applocker-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 0276189379..cf61a9f2c1 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -13,7 +13,18 @@ ms.date: 05/03/2022
# AssignedAccess CSP
-The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user sign in that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
@@ -23,14 +34,14 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider (
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!Note]
-> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
+> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following example shows the AssignedAccess configuration service provider in tree format
-```
+```console
./Vendor/MSFT
AssignedAccess
----KioskModeApp
@@ -44,14 +55,14 @@ AssignedAccess
Root node for the CSP.
**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
-A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
+A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app).
For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
> [!Note]
-> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
+> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
>
-> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
+> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
> [!Note]
> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
@@ -79,7 +90,14 @@ For a local account, the domain name should be the device name. When Get is exec
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
**./Device/Vendor/MSFT/AssignedAccess/Configuration**
-Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+
+Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key.
+
+> [!Note]
+> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
+>
+> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
Enterprises can use this to easily configure and manage the curated lockdown experience.
@@ -248,7 +266,7 @@ KioskModeApp Replace
## AssignedAccessConfiguration XSD
-Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release.
```xml
@@ -259,11 +277,13 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
+ xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
+
@@ -273,8 +293,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+
+
+
+
+
+
@@ -283,7 +309,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
-
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -384,6 +422,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+
@@ -422,10 +461,10 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
-
+);
```
-Here's the schema for new features introduced in Windows 10 1809 release
+Here's the schema for new features introduced in Windows 10 1809 release:
```xml
@@ -472,6 +511,7 @@ Here's the schema for new features introduced in Windows 10 1809 release
```
Schema for Windows 10 prerelease
+
```xml
```
-To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature that is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization.
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
@@ -568,13 +634,60 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
```
+Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
+```xml
+
+
+
+
+
+
+
+
+
+ EdgeKioskUser
+
+
+
+
+```
+
+Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
+> [!NOTE]
+> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
+```xml
+
+
+
+
+
+
+
+
+
+
+ EdgeKioskUser
+
+
+
+
+```
+
## Configuration examples
XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you’ll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
-Escape and CDATA are mechanisms when handling xml in xml. Consider it’s a transportation channel to send the configuration xml as payload from server to client. It’s transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
+Escape and CDATA are mechanisms used when handling xml in xml. Consider that it’s a transportation channel to send the configuration xml as payload from server to client. It’s transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
This example shows escaped XML of the Data node.
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index c6d84bf203..aee7adb47a 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,6 +1,6 @@
---
title: AssignedAccess DDF
-description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
+description: Learn about the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.reviewer:
manager: dansimp
@@ -14,7 +14,6 @@ ms.date: 02/22/2018
# AssignedAccess DDF
-
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@@ -22,7 +21,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is for Windows 10, version 1803.
+The XML below is for Windows 10, version 1803 and later.
```xml
@@ -50,7 +49,7 @@ The XML below is for Windows 10, version 1803.
- com.microsoft/2.0/MDM/AssignedAccess
+ com.microsoft/4.0/MDM/AssignedAccess
@@ -119,7 +118,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
- This read only node contains kiosk health event in xml
+ This read only node contains kiosk health event in xml.
@@ -197,15 +196,4 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
## Related topics
-
[AssignedAccess configuration service provider](assignedaccess-csp.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index b4564bd96c..8370601e1d 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -76,6 +76,7 @@ Allows the administrator to require encryption that needs to be turned on by usi
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -136,6 +137,7 @@ Allows you to set the default encryption method for each of the different drive
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -209,6 +211,7 @@ Allows you to associate unique organizational identifiers to a new drive that is
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -266,6 +269,7 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -305,6 +309,7 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -347,6 +352,7 @@ Allows you to configure whether standard users are allowed to change BitLocker P
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -389,6 +395,7 @@ Allows users to enable authentication options that require user input from the p
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -438,6 +445,7 @@ Allows you to configure the encryption type that is used by BitLocker.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -485,6 +493,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -582,6 +591,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -648,6 +658,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -724,6 +735,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -812,6 +824,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -903,6 +916,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -960,6 +974,7 @@ Allows you to configure the encryption type on fixed data drives that is used by
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1007,6 +1022,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1073,6 +1089,7 @@ Allows you to configure the encryption type that is used by BitLocker.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1114,6 +1131,7 @@ Allows you to control the use of BitLocker on removable data drives.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1170,6 +1188,7 @@ Allows the admin to disable the warning prompt for other disk encryption on the
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1224,6 +1243,7 @@ If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDev
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1268,6 +1288,7 @@ This setting initiates a client-driven recovery password refresh after an OS dri
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1315,6 +1336,7 @@ Each server-side recovery key rotation is represented by a request ID. The serve
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1353,6 +1375,7 @@ This node reports compliance state of device encryption on the system.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1413,6 +1436,7 @@ Status code can be one of the following values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1439,6 +1463,7 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index 06e6fdd613..db4049e60e 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -937,3 +937,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI
```
+
+## Related topics
+
+[BitLocker configuration service provider](bitlocker-csp.md)
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index 5605ebe1f4..7ac0af3d3d 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -14,10 +14,21 @@ ms.date: 06/26/2017
# CellularSettings CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
> [!Note]
-> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
+> Starting in Windows 10, version 1703, the CellularSettings CSP is supported in Windows 10 and Windows 11 Home, Pro, Enterprise, and Education editions.
The following example shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 0ef7d8606c..32b017f492 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -14,6 +14,17 @@ ms.date: 02/28/2020
# CertificateStore CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
> [!Note]
@@ -24,7 +35,7 @@ For the CertificateStore CSP, you can't use the Replace command unless the node
The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
-```
+```console
./Vendor/MSFT
CertificateStore
----ROOT
@@ -259,7 +270,7 @@ Optional. OID of certificate template name.
Supported operations are Get, Add, and Delete.
**My/SCEP/*UniqueID*/Install/KeyLength**
-Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
+Required for enrollment. Specifies private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Supported operations are Get, Add, Delete, and Replace.
@@ -343,7 +354,7 @@ Required. Returns the URL of the SCEP server that responded to the enrollment re
Supported operation is Get.
**My/WSTEP**
-Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
+Required for MDM enrolled device. Specifies the parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Supported operation is Get.
@@ -358,8 +369,6 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't
> [!NOTE]
> The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
-
-
Supported operations are Add, Get, Delete, and Replace.
**My/WSTEP/Renew/RenewalPeriod**
@@ -414,7 +423,7 @@ Optional. If certificate renewal fails, this integer value indicates the HRESULT
Supported operation is Get.
**My/WSTEP/Renew/LastRenewalAttemptTime**
-Added in Windows 10, version 1607. Time of the last attempted renewal.
+Added in Windows 10, version 1607. Specifies the time of the last attempted renewal.
Supported operation is Get.
@@ -424,7 +433,7 @@ Added in Windows 10, version 1607. Initiates a renewal now.
Supported operation is Execute.
**My/WSTEP/Renew/RetryAfterExpiryInterval**
-Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew.
+Added in Windows 10, version 1703. Specifies how long after the enrollment certificate has expired before trying to renew.
Supported operations are Add, Get, and Replace.
@@ -698,7 +707,6 @@ Configure the device to automatically renew an MDM client certificate with the s
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md
index da503f9902..e7ebbe235d 100644
--- a/windows/client-management/mdm/certificatestore-ddf-file.md
+++ b/windows/client-management/mdm/certificatestore-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# CertificateStore DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -458,7 +457,7 @@ The XML below is the current version for this CSP.
- The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.
+ The base64 Encoded X.509 certificate. Note that during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node and properly enroll a client certificate including private needs a cert enroll protocol to handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.
@@ -585,7 +584,7 @@ The XML below is the current version for this CSP.
- This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment.
+ This store holds the SCEP portion of the MY store and handles operations related to SCEP certificate enrollment.
@@ -627,7 +626,7 @@ The XML below is the current version for this CSP.
- The group to represent the install request
+ The group to represent the install request.
@@ -1241,7 +1240,7 @@ The XML below is the current version for this CSP.
- If certificate renew fails, this node provide the last hresult code during renew process.
+ If certificate renew fails, this node provides the last hresult code during renew process.
@@ -1262,7 +1261,7 @@ The XML below is the current version for this CSP.
- Time of last attempted renew
+ Time of last attempted renew.
@@ -1283,7 +1282,7 @@ The XML below is the current version for this CSP.
- Initiate a renew now
+ Initiate a renew now.
@@ -1305,7 +1304,7 @@ The XML below is the current version for this CSP.
- How long after the enrollment cert has expiried to keep trying to renew
+ How long after the enrollment cert has expired to keep trying to renew.
@@ -1372,7 +1371,7 @@ The XML below is the current version for this CSP.
- The base64 Encoded X.509 certificate
+ The base64 Encoded X.509 certificate.
@@ -1667,11 +1666,6 @@ The XML below is the current version for this CSP.
```
-
-
-
-
-
-
-
+## Related topics
+[CertificateStore configuration service provider](certificatestore-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md
index ef943cbe35..5eb147ea0c 100644
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@@ -1,13 +1,13 @@
---
title: Change history for MDM documentation
description: This article lists new and updated articles for Mobile Device Management.
+author: aczechowski
+ms.author: aaroncz
ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+manager: dougeby
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: dansimp
ms.localizationpriority: medium
ms.date: 10/19/2020
---
@@ -174,7 +174,6 @@ This article lists new and updated articles for the Mobile Device Management (MD
|New or updated article | Description|
|--- | ---|
-|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
## August 2018
@@ -227,7 +226,6 @@ This article lists new and updated articles for the Mobile Device Management (MD
|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:
Settings/AllowVirtualGPU
Settings/SaveFilesToHost|
|[NetworkProxy CSP](networkproxy-csp.md)|Added the following node in Windows 10, version 1803:
ProxySettingsPerUser|
|[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
-|[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)|Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.|
|[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers|
diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md
index 57298ac676..3c615c5b08 100644
--- a/windows/client-management/mdm/cleanpc-csp.md
+++ b/windows/client-management/mdm/cleanpc-csp.md
@@ -13,6 +13,17 @@ manager: dansimp
# CleanPC CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following shows the CleanPC configuration service provider in tree format.
diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md
index 1f2c1fa3f7..9e4fbdbf1b 100644
--- a/windows/client-management/mdm/cleanpc-ddf.md
+++ b/windows/client-management/mdm/cleanpc-ddf.md
@@ -34,7 +34,7 @@ The XML below is the current version for this CSP.
- Allow removal of user installed and pre-installed applications, with option to persist user data
+ Allow removal of user installed and pre-installed applications, with option to persist user data.
@@ -54,7 +54,7 @@ The XML below is the current version for this CSP.
- CleanPC operation without any retention of User data
+ CleanPC operation without any retention of User data.
@@ -75,7 +75,7 @@ The XML below is the current version for this CSP.
- CleanPC operation with retention of User data
+ CleanPC operation with retention of User data.
@@ -94,12 +94,6 @@ The XML below is the current version for this CSP.
```
-
-
-
-
-
-
-
-
+## Related topics
+[CleanPC configuration service provider](cleanpc-csp.md)
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index de295098f3..b667bfa46b 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -1,6 +1,6 @@
---
title: ClientCertificateInstall CSP
-description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
+description: Learn how the ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
ms.reviewer:
manager: dansimp
@@ -14,18 +14,29 @@ ms.date: 07/30/2021
# ClientCertificateInstall CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|---|---|---|
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> [!Note]
-> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
+> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store, both certificates are sent to the device in the same MDM payload and the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following example shows the ClientCertificateInstall configuration service provider in tree format.
-```
+```console
./Vendor/MSFT
ClientCertificateInstall
----PFXCertInstall
@@ -99,7 +110,7 @@ The data type is an integer corresponding to one of the following values:
| 1 | Install to TPM if present, fail if not present. |
| 2 | Install to TPM if present. If not present, fall back to software. |
| 3 | Install to software. |
-| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
+| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail.
@@ -119,7 +130,7 @@ If a blob already exists, the Add operation will fail. If Replace is called on t
If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail.
-In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)).
**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
Password that protects the PFX blob. This is required if the PFX is password protected.
@@ -133,9 +144,9 @@ Optional. Used to specify whether the PFX certificate password is encrypted with
The data type is int. Valid values:
-- 0 - Password isn't encrypted.
-- 1 - Password is encrypted with the MDM certificate.
-- 2 - Password is encrypted with custom certificate.
+- 0 - Password isn't encrypted.
+- 1 - Password is encrypted with the MDM certificate.
+- 2 - Password is encrypted with custom certificate.
When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
@@ -322,9 +333,9 @@ Data type is string.
Valid values are:
-- Days (Default)
-- Months
-- Years
+- Days (Default)
+- Months
+- Years
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
@@ -608,7 +619,7 @@ Enroll a client certificate through SCEP.
```
-Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store.
+Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store.
```xml
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 46bb00affa..492a95c621 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -107,7 +107,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha
- Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. Supported operations are Get, Add
+ Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation. Supported operations are Get, Add.
Datatype will be int
1- Install to TPM, fail if not present
2 – Install to TPM if present, if not present fallback to Software
@@ -138,8 +138,8 @@ Calling Delete on the this node, should delete the certificates and the keys tha
Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
-Format is chr
-Supported operations are Get, Add, Delete and Replace
+Format is chr.
+Supported operations are Get, Add, Delete and Replace.
@@ -165,8 +165,8 @@ Supported operations are Get, Add, Delete and Replace
Required.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
-Format is Binary64
-Supported operations are Get, Add, Replace
+Format is Binary64.
+Supported operations are Get, Add, Replace.
If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
@@ -197,7 +197,7 @@ CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windo
Required if PFX is password protected.
Password that protects the PFX blob.
-Format is chr. Supported operations are Add, Get
+Format is chr. Supported operations are Add, Get.
@@ -228,7 +228,7 @@ If the value is
1- Password is encrypted using the MDM certificate by the MDM server
2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
The datatype for this node is int.
-Supported operations are Add, Replace
+Supported operations are Add, Replace.
@@ -254,7 +254,7 @@ Supported operations are Add, Replace
trueOptional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool.
-Supported operations are Add, Get
+Supported operations are Add, Get.
@@ -299,7 +299,7 @@ Supported operations are Add, Get
Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int.
-Support operations are Get
+Support operations are Get.
@@ -374,7 +374,7 @@ Support operation are Add, Get and Replace.
Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
Format is node.
-Supported operations are Get, Add, Delete
+Supported operations are Get, Add, Delete.
Calling Delete on the this node, should delete the corresponding SCEP certificate
@@ -401,7 +401,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete.
-NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+NOTE: Though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
@@ -570,7 +570,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. Supported values:
Format is int.
-Supported operations are Get, Add, Delete, Replace
+Supported operations are Get, Add, Delete, Replace.
@@ -604,7 +604,7 @@ The min value is 1.
Format is int.
-Supported operations are Get, Add, Delete noreplace
+Supported operations are Get, Add, Delete noreplace.
@@ -654,7 +654,7 @@ The min value is 0 which means no retry. Supported operations are Get, Add, Dele
- Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace
+ Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace.
@@ -819,7 +819,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio
0
- Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+ Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
Format is int.
@@ -852,9 +852,9 @@ NOTE: The device only sends the MDM server expected certificate validation perio
Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
-Format is chr
+Format is chr.
-Supported operations are Get, Add, Delete and Replace
+Supported operations are Get, Add, Delete and Replace.
@@ -880,9 +880,9 @@ Supported operations are Get, Add, Delete and ReplaceOptional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
-Format is chr
+Format is chr.
-Supported operations are Get, Add, Delete and Replace
+Supported operations are Get, Add, Delete and Replace.
@@ -1029,9 +1029,9 @@ Supported operation is Get.
Required. Returns the URL of the SCEP server that responded to the enrollment request.
-Format is String
+Format is String.
-Supported operation is Get
+Supported operation is Get.
@@ -1054,15 +1054,4 @@ Supported operation is Get
## Related topics
-
[ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 06562d8462..c5b7aebc24 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -14,6 +14,17 @@ ms.date: 08/02/2017
# CM\_CellularEntries CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
@@ -76,13 +87,13 @@ Optional. Type: String. Specifies the type of connection used for the APN. The f
|Cdma|Used for CDMA type connections (1XRTT + EVDO).|
|Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.|
|Legacy|Used for GPRS + GSM + EDGE + UMTS connections.|
-|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi|
-|Iwlan|Used for connections that are implemented over WiFi offload only|
+|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi.|
+|Iwlan|Used for connections that are implemented over WiFi offload only.|
**Desc.langid**
Optional. Specifies the UI display string used by the defined language ID.
-A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry.
+A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
**Enabled**
Specifies if the connection is enabled.
@@ -131,7 +142,7 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which
- 5 - Roaming only.
**OEMConnectionID**
-Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
+Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
**ApnId**
Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices.
@@ -174,7 +185,7 @@ Optional. Type: Int. Specifies how long an on-demand connection can be unused be
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
**SimIccId**
-For single SIM phones, this parm isOptional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
+For single SIM phones, this parm is Optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
**PurposeGroups**
Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
@@ -271,17 +282,7 @@ The following table shows the Microsoft custom elements that this configuration
|Characteristic-query|Yes|
|Parm-query|Yes|
-
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index 333377d822..3e405b2e16 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -14,13 +14,22 @@ ms.date: 06/26/2017
# CMPolicy CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
@@ -134,7 +143,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
-
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@@ -180,7 +188,9 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo
```
-Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
+Adding a host-based mapping policy:
+
+In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@@ -364,7 +374,6 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
-
|Element|Available|
|--- |--- |
|parm-query|Yes|
@@ -373,7 +382,6 @@ Adding a host-based mapping policy:
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index e8f9de1f33..64aad26081 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -14,6 +14,17 @@ ms.date: 06/26/2017
# CMPolicyEnterprise CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|No|
+|Business|No|No|
+|Enterprise|No|No|
+|Education|No|No|
+
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
@@ -21,9 +32,12 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
+Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
+
+
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
-**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
+**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
@@ -72,7 +86,8 @@ Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
**Conn***XXX*
-Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
+
+Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
@@ -90,7 +105,6 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th
|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
-
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
@@ -133,7 +147,6 @@ Specifies the type of connection being referenced. The following list describes
## OMA client provisioning examples
-
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
```xml
@@ -227,7 +240,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C
## OMA DM examples
-
Adding an application-based mapping policy:
```xml
@@ -364,7 +376,6 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
-
|Element|Available|
|--- |--- |
|parm-query|Yes|
@@ -373,7 +384,6 @@ Adding a host-based mapping policy:
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md
index 26a30c88a6..a2167e456e 100644
--- a/windows/client-management/mdm/config-lock.md
+++ b/windows/client-management/mdm/config-lock.md
@@ -1,93 +1,90 @@
---
-title: Secured-Core Configuration Lock
-description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration.
+title: Secured-core configuration lock
+description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
manager: dansimp
-keywords: mdm,management,administrator,config lock
ms.author: v-lsaldanha
ms.topic: article
ms.prod: w11
ms.technology: windows
author: lovina-saldanha
-ms.date: 03/14/2022
+ms.date: 05/24/2022
---
-# Secured-Core PC Configuration Lock
+# Secured-core PC configuration lock
**Applies to**
-- Windows 11
+- Windows 11
-In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
+In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
-Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
+Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.
-To summarize, Config Lock:
+To summarize, config lock:
-- Enables IT to “lock” Secured-Core PC features when managed through MDM
+- Enables IT to "lock" secured-core PC features when managed through MDM
- Detects drift remediates within seconds
-- DOES NOT prevent malicious attacks
+- Doesn't prevent malicious attacks
## Configuration Flow
-After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
## System Requirements
-Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
+Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
-## Enabling Config Lock using Microsoft Intune
+## Enabling config lock using Microsoft Intune
-Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
-
-The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
+Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on.
-1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
+The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
+
+1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
- **Template name**: Custom
- :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates":::
+ :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates.":::
1. Name your profile.
-1. When you reach the Configuration Settings step, select “Add” and add the following information:
+1. When you reach the Configuration Settings step, select "Add" and add the following information:
- **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- **Data type**: Integer
- **Value**: 1
- To turn off Config Lock, change the value to 0.
+ To turn off config lock, change the value to 0.
- :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1":::
+ :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1.":::
-1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
+1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices".
1. You'll not need to set any applicability rules for test purposes.
-1. Review the Configuration and select “Create” if everything is correct.
-1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
+1. Review the Configuration and select "Create" if everything is correct.
+1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled.
- :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied":::
+ :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the config lock device configuration profile, showing one device has succeeded in having this profile applied.":::
- :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending":::
+ :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the config lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending.":::
-## Configuring Secured-Core PC features
+## Configuring secured-core PC features
-Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
+Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.
+
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off.":::
-:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off":::
-
## FAQ
-**Can an IT admins disable Config Lock ?**
- Yes. IT admins can use MDM to turn off Config Lock.
+- Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities.
### List of locked policies
|**CSPs** |
|-----|
-|[BitLocker ](bitlocker-csp.md) |
+|[BitLocker](bitlocker-csp.md) |
|[PassportForWork](passportforwork-csp.md) |
|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
-|[ApplicationControl](applicationcontrol-csp.md)
-
+|[ApplicationControl](applicationcontrol-csp.md)
|**MDM policies** | **Supported by Group Policy** |
|-----|-----|
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 56bcf98029..d12b45b482 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -438,18 +438,6 @@ Additional lists:
-
-[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
-
-
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-|No|No|No|No|No|
-
-
-
-
[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
@@ -544,18 +532,6 @@ Additional lists:
-
-[Messaging CSP](messaging-csp.md)
-
-
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-|No|No|No|No|No|
-
-
-
-
[MultiSIM CSP](multisim-csp.md)
@@ -640,18 +616,6 @@ Additional lists:
-
-[Proxy CSP](proxy-csp.md)
-
-
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-|Yes|Yes|Yes|Yes|Yes|
-
-
-
-
[PXLogical CSP](pxlogical-csp.md)
@@ -700,18 +664,6 @@ Additional lists:
-
-[PolicyManager CSP](policymanager-csp.md)
-
-
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-|No|No|No|No|No|
-
-
-
-
[Provisioning CSP](provisioning-csp.md)
@@ -748,18 +700,6 @@ Additional lists:
-
-[RemoteRing CSP](remotering-csp.md)
-
-
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-|No|No|No|No|No|
-
-
-
-
[RemoteWipe CSP](remotewipe-csp.md)
@@ -857,18 +797,15 @@ Additional lists:
+
[SurfaceHub](surfacehub-csp.md)
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-||||||
-
+
[TenantLockdown CSP](tenantlockdown-csp.md)
@@ -953,18 +890,16 @@ Additional lists:
+
[W4 Application CSP](w4-application-csp.md)
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-||||||
-
+
+
[WiFi CSP](wifi-csp.md)
@@ -1019,7 +954,7 @@ Additional lists:
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
-|No|Yes|Yes|Yes|Yes|
+|No|No|No|Yes|Yes|
@@ -1049,18 +984,15 @@ Additional lists:
+
[w7 Application CSP](w7-application-csp.md)
-
-|Home|Pro|Business|Enterprise|Education|
-|--- |--- |--- |--- |--- |
-||||||
-
+
@@ -1078,7 +1010,6 @@ You can download the DDF files for various CSPs from the links below:
## CSPs supported in HoloLens devices
-
The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
@@ -1163,7 +1094,6 @@ The following list shows the CSPs supported in HoloLens devices:
- [DiagnosticLog CSP](diagnosticlog-csp.md)
- [DMAcc CSP](dmacc-csp.md)
- [DMClient CSP](dmclient-csp.md)
-- [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 1a0f77c9ed..ba7ddde489 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -42,7 +42,6 @@ Package Full Name of the application that needs to be launched in the background
## SyncML examples
-
**Set StartupAppID**
```xml
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 22ee682cf2..df63bb462e 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -15,6 +15,15 @@ ms.date: 02/22/2022
# Defender CSP
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -355,7 +364,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi
**EnableNetworkProtection/DisableHttpParsing**
-Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -365,7 +374,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to
**EnableNetworkProtection/DisableRdpParsing**
-Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
+Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -375,7 +384,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn
**EnableNetworkProtection/DisableSshParsing**
-Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
+Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -385,7 +394,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k
**EnableNetworkProtection/DisableTlsParsing**
-Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -594,11 +603,13 @@ An interior node to group Windows Defender configuration information.
Supported operation is Get.
**Configuration/TamperProtection**
+
Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
+
Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
-The data type is a Signed blob.
+The data type is a Signed BLOB.
Supported operations are Add, Delete, Get, Replace.
@@ -610,7 +621,7 @@ Intune tamper protection setting UX supports three states:
When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
**Configuration/DisableLocalAdminMerge**
-This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
+This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list.
If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
@@ -630,6 +641,7 @@ Valid values are:
- 0 (default) – Disable.
**Configuration/HideExclusionsFromLocalAdmins**
+
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
@@ -639,22 +651,23 @@ If you enable this setting, Local Admins will no longer be able to see the exclu
> [!NOTE]
> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
-Supported OS versions: Windows 10
+Supported OS versions: Windows 10
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
**Configuration/DisableCpuThrottleOnIdleScans**
+
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 (default) – Enable.
@@ -665,7 +678,7 @@ Allow managed devices to update through metered connections. Data charges may ap
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enable.
@@ -676,7 +689,7 @@ This settings controls whether Network Protection is allowed to be configured in
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enable.
@@ -687,7 +700,7 @@ Allows an administrator to explicitly disable network packet inspection made by
The data type is string.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
@@ -695,7 +708,7 @@ When this feature is enabled, Windows Defender will compute hashes for files it
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enable.
@@ -706,7 +719,7 @@ The support log location setting allows the administrator to specify where the M
Data type is string.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Intune Support log location setting UX supports three states:
@@ -714,7 +727,7 @@ Intune Support log location setting UX supports three states:
- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
- 0 - Disabled. Turns off the Support log location feature.
-When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
+When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
More details:
@@ -738,7 +751,7 @@ If you disable or don't configure this policy, the device will stay up to date a
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 0: Not configured (Default)
@@ -771,7 +784,7 @@ If you disable or don't configure this policy, the device will stay up to date a
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 0: Not configured (Default)
@@ -796,7 +809,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid Values are:
- 0: Not configured (Default)
@@ -819,7 +832,7 @@ If you disable or don't configure this policy, the device will remain in Current
The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
Valid values are:
- 1 – Enabled.
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 7a1c219d01..b2a87f5a47 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -14,6 +14,16 @@ ms.date: 03/27/2020
# DevDetail CSP
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
> [!NOTE]
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 22f1b88991..c484b9a326 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -861,7 +861,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
|DeferFeatureUpdates|REG_DWORD|1: defer feature updates
Other value or absent: don’t defer feature updates|
|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
|PauseFeatureUpdates|REG_DWORD|1: pause feature updates
Other value or absent: don’t pause feature updates|
-|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude WU drivers
Other value or absent: offer WU drivers|
+|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers|
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 9768af70a3..5a205b9d64 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
-description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
+description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
@@ -14,6 +14,16 @@ ms.date: 11/01/2017
# DeviceManageability CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
@@ -30,6 +40,7 @@ DeviceManageability
------------ConfigInfo (Added in Windows 10, version 1709)
------------EnrollmentInfo (Added in Windows 10, version 1709)
```
+
**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
@@ -50,14 +61,20 @@ Added in Windows 10, version 1709. Configuration information string value set by
ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
-Data type is string. Supported operations are Add, Get, Delete, and Replace.
+Data type is string.
+
+Supported operations are Add, Get, Delete, and Replace.
**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
-Data type is string. Supported operations are Add, Get, Delete, and Replace.
-
-
+Data type is string.
+
+Supported operations are Add, Get, Delete, and Replace.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 17cb3d7424..d70efed2a5 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceStatus CSP
-description: The DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
+description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
ms.reviewer:
manager: dansimp
@@ -14,6 +14,16 @@ ms.date: 06/25/2021
# DeviceStatus CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
@@ -63,15 +73,16 @@ DeviceStatus
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
```
+
**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following values:
-- 0 - Not supported
-- 1 - Enabled
-- 2 - Disabled
+- 0 - Not supported
+- 1 - Enabled
+- 2 - Disabled
Supported operation is Get.
@@ -138,9 +149,9 @@ Supported operation is Get.
**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following values:
-- 2 - WLAN (or other Wireless interface)
-- 1 - LAN (or other Wired interface)
-- 0 - Unknown
+- 2 - WLAN (or other Wireless interface)
+- 1 - LAN (or other Wired interface)
+- 0 - Unknown
Supported operation is Get.
@@ -150,8 +161,8 @@ Node for the compliance query.
**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
-- 0 - Not encrypted
-- 1 - Encrypted
+- 0 - Not encrypted
+- 1 - Encrypted
Supported operation is Get.
@@ -179,8 +190,9 @@ Supported operation is Get.
Added in Windows, version 1803. Read only node that specifies the device mode.
Valid values:
-- 0 - The device is in standard configuration
-- 1 - The device is in S mode configuration
+
+- 0 - The device is in standard configuration.
+- 1 - The device is in S mode configuration.
Supported operation is Get.
@@ -194,15 +206,16 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
-- 0 - The security software reports that it isn't the most recent version.
-- 1 (default) - The security software reports that it's the most recent version.
-- 2 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+- 0 - The security software reports that it isn't the most recent version.
+- 1 (default) - The security software reports that it's the most recent version.
+- 2 – Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
If more than one antivirus provider is active, this node returns:
-- 1 – If every active antivirus provider has a valid signature status.
-- 0 – If any of the active antivirus providers has an invalid signature status.
+
+- 1 – If every active antivirus provider has a valid signature status.
+- 0 – If any of the active antivirus providers has an invalid signature status.
This node also returns 0 when no antivirus provider is active.
@@ -211,38 +224,39 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
-- 0 – Antivirus is on and monitoring.
-- 1 – Antivirus is disabled.
-- 2 – Antivirus isn't monitoring the device/PC or some options have been turned off.
-- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
-- 4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+- 0 – Antivirus is on and monitoring.
+- 1 – Antivirus is disabled.
+- 2 – Antivirus isn't monitoring the device/PC or some options have been turned off.
+- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
+- 4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
**DeviceStatus/Antispyware**
-Added in Windows, version 1607. Node for the antispyware query.
+Added in Windows, version 1607. Node for the anti-spyware query.
Supported operation is Get.
**DeviceStatus/Antispyware/SignatureStatus**
-Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
+Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
Valid values:
-- 0 - The security software reports that it isn't the most recent version.
-- 1 - The security software reports that it's the most recent version.
-- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+- 0 - The security software reports that it isn't the most recent version.
+- 1 - The security software reports that it's the most recent version.
+- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
-If more than one antispyware provider is active, this node returns:
-- 1 – If every active antispyware provider has a valid signature status.
-- 0 – If any of the active antispyware providers has an invalid signature status.
+If more than one anti-spyware provider is active, this node returns:
-This node also returns 0 when no antispyware provider is active.
+- 1 – If every active anti-spyware provider has a valid signature status.
+- 0 – If any of the active anti-spyware providers has an invalid signature status.
+
+This node also returns 0 when no anti-spyware provider is active.
**DeviceStatus/Antispyware/Status**
-Added in Windows, version 1607. Integer that specifies the status of the antispyware.
+Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
Valid values:
@@ -263,11 +277,11 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa
Valid values:
-- 0 – Firewall is on and monitoring.
-- 1 – Firewall has been disabled.
-- 2 – Firewall isn't monitoring all networks or some rules have been turned off.
-- 3 (default) – Firewall is temporarily not monitoring all networks.
-- 4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+- 0 – Firewall is on and monitoring.
+- 1 – Firewall has been disabled.
+- 2 – Firewall isn't monitoring all networks or some rules have been turned off.
+- 3 (default) – Firewall is temporarily not monitoring all networks.
+- 4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
@@ -327,15 +341,15 @@ Added in Windows, version 1709. Virtualization-based security hardware requirem
Supported operation is Get.
**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
-Added in Windows, version 1709. Virtualization-based security status. Value is one of the following values:
+Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
+
- 0 - Running
- 1 - Reboot required
- 2 - 64-bit architecture required
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements
-- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
-
+- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
Supported operation is Get.
@@ -346,7 +360,10 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
- 1 - Reboot required
- 2 - Not licensed for Credential Guard
- 3 - Not configured
-- 4 - VBS not running
-
+- 4 - VBS not running
Supported operation is Get.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index ef7c93a036..e23eaed096 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -14,17 +14,26 @@ ms.date: 06/26/2017
# DevInfo CSP
+The table below shows the applicability of Windows:
-The DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The DevInfo configuration service provider handles the managed object, which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-
-
For the DevInfo CSP, you can't use the Replace command unless the node already exists.
-The following example shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
+The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
+
```
.
DevInfo
@@ -34,6 +43,7 @@ DevInfo
----DmV
----Lang
```
+
**DevId**
Required. Returns an application-specific global unique device identifier by default.
@@ -41,25 +51,22 @@ Supported operation is Get.
The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows:
-- For GSM phones, the IMEI is returned.
-
-- For CDMA phones, the MEID is returned.
-
-- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
-
-- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
+- For GSM phones, the IMEI is returned.
+- For CDMA phones, the MEID is returned.
+- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
+- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
**Man**
Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
-If no name is found, the value returned is "Unknown".
+If no name is found, this returns to "Unknown".
Supported operation is Get.
**Mod**
-Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
+Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10/Windows 11 desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
-If no name is found, the value returned is "Unknown".
+If no name is found, this returns to "Unknown".
Supported operation is Get.
@@ -75,15 +82,4 @@ Supported operation is Get.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index ded51dd0fa..6a733fed4d 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -14,6 +14,17 @@ ms.date: 11/19/2019
# DiagnosticLog CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The DiagnosticLog configuration service provider (CSP) provides the following feature areas:
- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
@@ -68,7 +79,9 @@ Rest of the nodes in the DiagnosticLog CSP are described within their respective
## DiagnosticArchive area
-The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
+The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage.
+
+DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
> [!NOTE]
> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
@@ -90,7 +103,7 @@ The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
-With Windows 10 KB5011543, Windows 11 KB5011563 we have added support for an additional element which will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
+With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
The following example shows a `Collection` XML:
@@ -110,13 +123,15 @@ The following example shows a `Collection` XML:
```
+
The XML should include the following elements within the `Collection` element:
-**ID**
+**ID**:
The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
**SasUrl**
The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
+
- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
@@ -132,7 +147,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- **Events**
- Exports all events from the named Windows event log.
- Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
- - Output format: Creates a .evtx file.
+ - Output format: Creates an .evtx file.
- **Commands**
- This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
@@ -183,7 +198,6 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Flattens folder structure, instead of having individual folders for each directive in the XML.
- The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
-
**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
@@ -191,7 +205,7 @@ The supported operation is Get.
The data type is string.
-A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above it returns:
+A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above:
``` xml
@@ -254,6 +268,7 @@ la--- 1/4/2021 2:45 PM 1
la--- 1/4/2021 2:45 PM 2
la--- 12/2/2020 6:27 PM 2701 results.xml
```
+
Each data gathering directive from the original `Collection` XML corresponds to a folder in the output.
For example, the first directive was:
@@ -262,7 +277,8 @@ For example, the first directive was:
HKLM\Software\Policies
```
-then folder `1` will contain the corresponding `export.reg` file.
+
+Then, folder `1` will contain the corresponding `export.reg` file.
The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed.
@@ -275,6 +291,7 @@ The `results.xml` file is the authoritative map to the output. It includes a sta
```
Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details.
+
```powershell
Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
```
@@ -375,8 +392,8 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to rep
Supported operations are Add, Delete, and Get.
-
Add **Channel**
+
``` xml
@@ -398,7 +415,9 @@ Add **Channel**
```
+
Delete **Channel**
+
``` xml
@@ -416,7 +435,9 @@ Delete **Channel**
```
+
Get **Channel**
+
``` xml
@@ -434,6 +455,7 @@ Get **Channel**
```
+
**Policy/Channels/_ChannelName_/MaximumFileSize**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
@@ -446,6 +468,7 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is integer.
Add **MaximumFileSize**
+
``` xml
@@ -470,6 +493,7 @@ Add **MaximumFileSize**
```
Delete **MaximumFileSize**
+
``` xml
@@ -487,7 +511,9 @@ Delete **MaximumFileSize**
```
+
Get **MaximumFileSize**
+
``` xml
@@ -507,6 +533,7 @@ Get **MaximumFileSize**
```
Replace **MaximumFileSize**
+
``` xml
@@ -542,6 +569,7 @@ Default string is as follows:
`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
Add **SDDL**
+
``` xml
@@ -566,6 +594,7 @@ Add **SDDL**
```
Delete **SDDL**
+
``` xml
@@ -586,6 +615,7 @@ Delete **SDDL**
```
Get **SDDL**
+
``` xml
@@ -605,6 +635,7 @@ Get **SDDL**
```
Replace **SDDL**
+
``` xml
@@ -642,8 +673,10 @@ The following are the possible values:
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
+If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
Add **ActionWhenFull**
+
``` xml
@@ -668,6 +701,7 @@ Add **ActionWhenFull**
```
Delete **ActionWhenFull**
+
``` xml
@@ -687,6 +721,7 @@ Delete **ActionWhenFull**
```
Get **ActionWhenFull**
+
``` xml
@@ -706,6 +741,7 @@ Get **ActionWhenFull**
```
Replace **ActionWhenFull**
+
``` xml
@@ -737,12 +773,14 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is boolean.
The following are the possible values:
+
- TRUE—Enables the channel.
- FALSE—Disables the channel.
If you disable or don't configure this policy setting, the locally configured value is used as default.
Get **Enabled**
+
``` xml
@@ -762,6 +800,7 @@ Get **Enabled**
```
Add **Enabled**
+
``` xml
@@ -786,6 +825,7 @@ Add **Enabled**
```
Delete **Enabled**
+
``` xml
@@ -805,6 +845,7 @@ Delete **Enabled**
```
Replace **Enabled**
+
``` xml
@@ -831,6 +872,7 @@ Replace **Enabled**
## EtwLog area
The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
+
- [Collector-based tracing](#collector-based-tracing)
- [Channel-based tracing](#channel-based-tracing)
@@ -842,31 +884,31 @@ This type of event tracing collects event data from a collection of registered E
An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
-The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
+The *CollectorName* must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
For each collector node, the user can:
-- Start or stop the session with all registered and enabled providers
-- Query session status
-- Change trace log file mode
-- Change trace log file size limit
+- Start or stop the session with all registered and enabled providers.
+- Query session status.
+- Change trace log file mode.
+- Change trace log file size limit.
The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector.
For each registered provider in this collector, the user can:
-- Specify keywords to filter events from this provider
-- Change trace level to filter events from this provider
-- Enable or disable the provider in the trace session
+- Specify keywords to filter events from this provider.
+- Change trace level to filter events from this provider.
+- Enable or disable the provider in the trace session.
The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress.
> [!NOTE]
> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
- ### Channel-based tracing
+### Channel-based tracing
The type of event tracing exports event data from a specific channel. This method is only supported on the desktop.
@@ -876,9 +918,9 @@ The DiagnosticLog CSP maintains a log file for each channel node and the log fil
For each channel node, the user can:
-- Export channel event data into a log file (.evtx)
-- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
-- Specify an XPath query to filter events while exporting the channel event data
+- Export channel event data into a log file (.evtx).
+- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
+- Specify an XPath query to filter events while exporting the channel event data.
For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
@@ -887,13 +929,13 @@ To gather diagnostics using this CSP:
1. Specify a *CollectorName* for the container of the target ETW providers.
2. (Optional) Set logging and log file parameters using the following options:
- - TraceLogFileMode
- - LogFileSizeLimitMB
+ - [TraceLogFileMode](#etwlog-collectors-collectorname-tracelogfilemode)
+ - [LogFileSizeLimitMB](#etwlog-collectors-collectorname-logfilesizelimitmb)
-3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
+3. Indicate one or more target ETW providers by supplying its **ProviderGUID** to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
4. (Optional) Set logging and log file parameters using the following options:
- - TraceLevel
- - Keywords
+ - [TraceLevel](#etwlog-collectors-collectorname-providers-providerguid-tracelevel)
+ - [Keywords](#etwlog-collectors-collectorname-providers-providerguid-keywords)
5. Start logging using **TraceControl** EXECUTE command “START”.
6. Perform actions on the target device that will generate activity in the log files.
7. Stop logging using **TraceControl** EXECUTE command “STOP”.
@@ -1439,7 +1481,7 @@ The supported value is Execute.
## FileDownload area
-The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
+The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
### Comparing FileDownload and DiagnosticArchive
@@ -1624,6 +1666,7 @@ The supported operation is Get.
### Reading a log file
To read a log file:
+
1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
2. Select a log file in the Enumeration result.
3. Set **BlockSizeKB** per DM server payload limitation.
@@ -1632,3 +1675,7 @@ To read a log file:
6. Get **BlockData** for upload log block.
7. Increase **BlockIndexToRead**.
8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 4e55cd3c89..aecd5bf113 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -14,16 +14,25 @@ ms.date: 06/26/2017
# DMAcc CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION configuration service provider](w7-application-csp.md)
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-
-
+> [!Note]
+>This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DMAcc CSP, you can't use the Replace command unless the node already exists.
-The following example shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
+The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
```
./SyncML
@@ -237,13 +246,10 @@ Required. Specifies the role mask that the OMA DM session runs with when it comm
If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
-- 4 = SECROLE\_OPERATOR
-
-- 8 = SECROLE\_MANAGER
-
-- 16 = SECROLE\_USER\_AUTH
-
-- 128 = SECROLE\_OPERATOR\_TPS
+- 4 = SECROLE\_OPERATO
+- 8 = SECROLE\_MANAGE
+- 16 = SECROLE\_USER\_AUT
+- 128 = SECROLE\_OPERATOR\_TPS
The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object.
@@ -256,11 +262,9 @@ The default value of "FALSE" specifies that an application-specific GUID is retu
A value is "TRUE" specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case:
-- For GSM phones, the IMEI is returned.
-
-- For CDMA phones, the MEID is returned.
-
-- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
+- For GSM phones, the IMEI is returned.
+- For CDMA phones, the MEID is returned.
+- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
Value type is bool. Supported operations are Add, Get, and Replace.
@@ -292,9 +296,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
-> **Note** %EF%80%80 is the UTF8-encoded character U+F000.
-
-
+> [!Note]
+> %EF%80%80 is the UTF8-encoded character U+F000.
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema:
@@ -312,15 +315,4 @@ Supported operations are Add, and Replace.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 7731b4fe08..187e71bdb1 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -14,6 +14,16 @@ ms.date: 11/01/2017
# DMClient CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
@@ -41,6 +51,8 @@ DMClient
------------Unenroll
------------AADResourceID
------------AADDeviceID
+------------AADSendDeviceToken
+------------ForceAadToken
------------EnrollmentType
------------EnableOmaDmKeepAliveMessage
------------HWDevID
@@ -63,9 +75,25 @@ DMClient
----------------NumberOfRemainingScheduledRetries
----------------PollOnLogin
----------------AllUsersPollOnFirstLogin
+------------LinkedEnrollment
+----------------Priority
+----------------Enroll
+----------------Unenroll
+----------------EnrollStatus
+----------------LastError
+------------Recovery
+----------------AllowRecovery
+----------------RecoveryStatus
+----------------InitiateRecovery
+------------MultipleSession
+----------------NumAllowedConcurrentUserSessionForBackgroundSync
+----------------NumAllowedConcurrentUserSessionAtUserLogonSync
+----------------IntervalForScheduledRetriesForUserSession
+----------------NumberOfScheduledRetriesForUserSession
----Unenroll
----UpdateManagementServiceAddress
```
+
**./Vendor/MSFT**
All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
@@ -104,8 +132,6 @@ Supported operations are Get and Add.
> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
-
-
**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
@@ -115,8 +141,6 @@ Optional. Character string that contains the unique Exchange device ID used by t
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
-
-
Supported operation is Get.
The following XML is a Get command example:
@@ -148,8 +172,6 @@ Required. The character string that contains the device management server addres
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
-
-
The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there's only a single URL, then the <> aren't required. This feature is supported on Windows client devices.
@@ -159,7 +181,7 @@ During a DM session, the device will use the first address on the list and then
Supported operations are Add, Get, and Replace.
**Provider/*ProviderID*/UPN**
-Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
+Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user's email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
@@ -199,8 +221,6 @@ Optional. Used by the management server to set the DM session version that the s
Once you set the value to 2.0, it won't go back to 1.0.
-
-
Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/MaxSyncApplicationVersion**
@@ -279,8 +299,6 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
> [!NOTE]
> The < and > should be escaped.
-
-
```xml
101
@@ -299,23 +317,36 @@ If ManagementServerAddressList node is set, the device will only use the server
When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
-Supported operations are Get and Replace. Value type is string.
+Supported operations are Get and Replace.
+
+Value type is string.
**Provider/*ProviderID*/ManagementServerToUpgradeTo**
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
Optional. Number of days after last successful sync to unenroll.
-Supported operations are Add, Delete, Get, and Replace. Value type is integer.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
-Supported operations are Add, Delete, Get, and Replace. Value type is bool.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is bool.
+
+**Provider/*ProviderID*/ForceAadToken**
+The value type is integer/enum.
+
+The value is "1" and it means client should always send AAD device token during check-in/sync.
**Provider/*ProviderID*/Poll**
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@@ -435,6 +466,117 @@ Optional. Boolean value that allows the IT admin to require the device to start
Supported operations are Add, Get, and Replace.
+**Provider/*ProviderID*/LinkedEnrollment/Priority**
+This node is an integer, value is "0" or "1".
+
+Default is 1, meaning the MDM enrollment is the “winning” authority for conflicting policies/resources. Value 1 means MMP-C enrollment is the “winning” one.
+Support operations are Get and Set.
+
+**Provider/*ProviderID*/LinkedEnrollment/Enroll**
+This is an execution node and will trigger a silent MMP-C enrollment, using the AAD device token pulled from the AADJ’ed device. There is no user interaction needed.
+
+Support operation is Exec.
+
+**Provider/*ProviderID*/LinkedEnrollment/Unenroll**
+This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back(rollback details will be covered later).
+
+Support operation is Exec.
+
+**Provider/*ProviderID*/LinkedEnrollment/EnrollStatus**
+
+This node can be used to check both enroll and unenroll statuses.
+This will return the enroll action status and is defined as a enum class LinkedEnrollmentStatus. The values are aas follows:
+
+- Undefined = 0
+- EnrollmentNotStarted = 1
+- InProgress = 2
+- Failed = 3
+- Succeeded = 4
+- UnEnrollmentQueued = 5
+- UnEnrollmentSucceeded = 8
+
+Support operation is Get only.
+
+**Provider/*ProviderID*/LinkedEnrollment/LastError**
+
+This specifies the Hresult to report the enrollment/unenroll results.
+
+**Provider/*ProviderID*/Recovery/AllowRecovery**
+
+This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate.
+
+Supported operations are Get, Add, Replace and Delete.
+
+The supported values for this node are 1-true (allow) and 0-false(not allow). Default value is 0.
+
+**Provider/*ProviderID*/Recovery/RecoveryStatus**
+
+This node tracks the status of a Recovery request from the InitiateRecovery node. The values are as follows:
+
+0 - No Recovery request has been processed.
+1 - Recovery is in Process.
+2 - Recovery has finished successfully.
+3 - Recovery has failed to start because TPM is not available.
+4 - Recovery has failed to start because AAD keys are not protected by the TPM.
+5 - Recovery has failed to start because the MDM keys are already protected by the TPM.
+6 - Recovery has failed to start because the TPM is not ready for attestation.
+7 - Recovery has failed because the client cannot authenticate to the server.
+8 - Recovery has failed because the server has rejected the client's request.
+
+Supported operation is Get only.
+
+**Provider/*ProviderID*/Recovery/InitiateRecovery**
+
+This node initiates an MDM Recovery operation on the client.
+
+If initiated with argument 0, it triggers MDM Recovery, no matter the state of the device.
+
+If initiated with argument 1, it triggers only if the MDM certificate’s private key isn’t already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation.
+
+Supported operation is Exec only.
+
+**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync**
+
+Optional. This node specifies maximum number of concurrent user sync sessions in background.
+
+The default value is dynamically decided by the client based on CPU usage.
+
+The values are : 0= none, 1= sequential, anything else= parallel.
+
+Supported operations are Get, Add, Replace and Delete.
+
+Value type is integer. Only applicable for Windows Enterprise multi-session.
+
+
+**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync**
+Optional. This node specifies maximum number of concurrent user sync sessions at User Login.
+
+The default value is dynamically decided by the client based on CPU usage.
+
+The values are : 0= none, 1= sequential, anything else= parallel.
+
+Supported operations are Get, Add, Replace and Delete.
+
+Value type is integer. Only applicable for Windows Enterprise multi-session.
+
+**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession**
+Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `//Poll/NumberOfScheduledRetriesForUserSession`.
+
+If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled.
+
+This configuration is only applicable for Windows Multi-session Editions.
+
+Supported operations are Get and Replace.
+
+**Provider/*ProviderID*/MultipleSession/NumberOfScheduledRetriesForUserSession**
+Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server.
+
+If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times.
+
+The default value is 0. This configuration is only applicable for Windows Multi-session Editions.
+
+Supported operations are Get and Replace.
+
**Provider/*ProviderID*/ConfigLock**
Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
@@ -442,7 +584,7 @@ Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, p
Default = Locked
> [!Note]
->If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
+> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
**Provider/*ProviderID*/ConfigLock/Lock**
@@ -488,7 +630,7 @@ The status error mapping is listed below.
|--- |--- |
|0|Success|
|1|Failure: invalid PFN|
-|2|Failure: invalid or expired device authentication with MSA|
+|2|Failure: invalid or expired device authentication with Microsoft account|
|3|Failure: WNS client registration failed due to an invalid or revoked PFN|
|4|Failure: no Channel URI assigned|
|5|Failure: Channel URI has expired|
@@ -504,22 +646,30 @@ Supported operations are Add, Delete, and Get.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title**
Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText**
Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/FirstSyncStatus**
Optional node. Added in Windows 10, version 1709.
@@ -527,17 +677,23 @@ Optional node. Added in Windows 10, version 1709.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
@@ -549,62 +705,86 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI
This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-Supported operations are Add, Delete, Get, and Replace. Value type is string.
+Supported operations are Add, Delete, Get, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure**
-Required. Added in Windows 10, version 1709. This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
+Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
-Supported operations are Get and Replace. Value type is integer.
+Supported operations are Get and Replace.
+
+Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
-Supported operations are Get and Replace. Value type is boolean.
+Supported operations are Get and Replace.
+
+Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
-Supported operations are Get and Replace. Value type is boolean.
+Supported operations are Get and Replace.
+
+Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
-Supported operations are Get and Replace. Value type is integer.
+Supported operations are Get and Replace.
+
+Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
-Supported operations are Get and Replace. Value type is integer.
+Supported operations are Get and Replace.
+
+Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
-Supported operations are Get and Replace. Value type is bool.
+Supported operations are Get and Replace.
+
+Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
-Supported operations are Add, Get, Delete, and Replace. Value type is string.
+Supported operations are Add, Get, Delete, and Replace.
+
+Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
-Supported operations are Get and Replace. Value type is bool.
+Supported operations are Get and Replace.
+
+Value type is bool.
**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
-Supported operations are Get and Replace. Value type is bool.
+Supported operations are Get and Replace.
+
+Value type is bool.
**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.
@@ -614,22 +794,30 @@ Supported operation is Get.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is integer.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
-Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is boolean.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0**
Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use.
-Supported operations are Add, Get, Replace, and Delete. Value type is string.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is string.
**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1**
Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use.
-Supported operations are Add, Get, Replace, and Delete. Value type is string.
+Supported operations are Add, Get, Replace, and Delete.
+
+Value type is string.
**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent.
@@ -658,5 +846,4 @@ The following SyncML shows how to remotely unenroll the device. This command sho
## Related articles
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md
index 6b48ccc230..8a95673243 100644
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@@ -13,10 +13,20 @@ manager: dansimp
# DMSessionActions CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The DMSessionActions configuration service provider (CSP) is used to manage:
-- the number of sessions the client skips if the device is in a low-power state
+- the number of sessions the client skips if the device is in a low-power state.
- which CSP nodes should send an alert back to the server if there were any changes.
This CSP was added in Windows 10, version 1703.
@@ -62,42 +72,59 @@ DMSessionActions
------------MaxSkippedSessionsInLowPowerState
------------MaxTimeSessionsSkippedInLowPowerState
```
+
**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
-
Defines the root node for the DMSessionActions configuration service provider.
+Defines the root node for the DMSessionActions configuration service provider.
***ProviderID***
-
Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
+Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
-
Scope is dynamic. Supported operations are Get, Add, and Delete.
+Scope is dynamic. Supported operations are Get, Add, and Delete.
***ProviderID*/CheckinAlertConfiguration**
-
Node for the custom configuration of alerts to be sent during MDM sync session.
+Node for the custom configuration of alerts to be sent during MDM sync session.
***ProviderID*/CheckinAlertConfiguration/Nodes**
-
Required. Root node for URIs to be queried. Scope is dynamic.
+Required. Root node for URIs to be queried. Scope is dynamic.
-
Supported operation is Get.
+Supported operation is Get.
***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID***
-
Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
+Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
-
Supported operations are Get, Add, and Delete.
+Supported operations are Get, Add, and Delete.
***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI**
-
Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
+
+Value type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**AlertData**
-
Node to query the custom alert per server configuration
-
Value type is string. Supported operation is Get.
+Node to query the custom alert per server configuration
+
+Value type is string.
+
+Supported operation is Get.
**PowerSettings**
-
Node for power-related configurations
+Node for power-related configurations.
**PowerSettings/MaxSkippedSessionsInLowPowerState**
-
Maximum number of continuous skipped sync sessions when the device is in low-power state.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Maximum number of continuous skipped sync sessions when the device is in low-power state.
+
+Value type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
-
Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
+
+Value type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index 355e5d1e79..ce38bf29cd 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -14,7 +14,18 @@ ms.collection: highpri
# DynamicManagement CSP
-Windows 10 allows you to manage devices differently depending on location, network, or time. In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time. Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
This CSP was added in Windows 10, version 1703.
@@ -33,13 +44,18 @@ DynamicManagement
------------Altitude
----AlertsEnabled
```
+
**DynamicManagement**
-
The root node for the DynamicManagement configuration service provider.
+The root node for the DynamicManagement configuration service provider.
**NotificationsEnabled**
-
Boolean value for sending notification to the user of a context change.
-
Default value is False. Supported operations are Get and Replace.
-
Example to turn on NotificationsEnabled:
+Boolean value for sending notification to the user of a context change.
+
+Default value is False.
+
+Supported operations are Get and Replace.
+
+Example to turn on NotificationsEnabled:
```xml
@@ -56,45 +72,64 @@ DynamicManagement
```
+
**ActiveList**
-
A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..
-
Supported operation is Get.
+A string containing the list of all active ContextIDs on the device. Delimiter is unicode character 0xF000.
+
+Supported operation is Get.
**Contexts**
-
Node for context information.
-
Supported operation is Get.
+Node for context information.
+
+Supported operation is Get.
***ContextID***
-
Node created by the server to define a context. Maximum number of characters allowed is 38.
-
Supported operations are Add, Get, and Delete.
+Node created by the server to define a context. Maximum number of characters allowed is 38.
+
+Supported operations are Add, Get, and Delete.
**SignalDefinition**
-
Signal Definition XML.
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Signal Definition XML.
+
+Value type is string.
+
+Supported operations are Add, Get, Delete, and Replace.
**SettingsPack**
-
Settings that get applied when the Context is active.
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Settings that get applied when the Context is active.
+
+Value type is string.
+
+Supported operations are Add, Get, Delete, and Replace.
**SettingsPackResponse**
-
Response from applying a Settings Pack that contains information on each individual action.
-
Value type is string. Supported operation is Get.
+Response from applying a Settings Pack that contains information on each individual action.
+
+Value type is string.
+
+Supported operation is Get.
**ContextStatus**
-
Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.
-
Value type is integer. Supported operation is Get.
+Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly is failed.
+
+Value type is integer.
+
+Supported operation is Get.
**Altitude**
-
A value that determines how to handle conflict resolution of applying multiple contexts on the device. This value is required and must be distinct of other priorities.
-
Value type is integer. Supported operations are Add, Get, Delete, and Replace.
+A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
+
+Value type is integer.
+
+Supported operations are Add, Get, Delete, and Replace.
**AlertsEnabled**
-
A Boolean value for sending an alert to the server when a context fails.
-
Supported operations are Get and Replace.
+A Boolean value for sending an alert to the server when a context fails.
+Supported operations are Get and Replace.
## Examples
-Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
+Disable Cortana based on Geo location and time, from 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
```xml
@@ -203,7 +238,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew
```
-Delete a context
+Delete a context:
```xml
@@ -216,7 +251,7 @@ Delete a context
```
-Get ContextStatus and SignalDefinition from a specific context
+Get ContextStatus and SignalDefinition from a specific context:
```xml
@@ -236,3 +271,7 @@ Get ContextStatus and SignalDefinition from a specific context
```
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 9f9d1ab88c..1565168c9c 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -14,12 +14,10 @@ ms.date: 06/26/2017
# EAP configuration
-
This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10.
## Create an EAP configuration XML for a VPN profile
-
To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
1. Run rasphone.exe.
@@ -107,15 +105,13 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
```
> [!NOTE]
- > You should check with mobile device management (MDM) vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- - C:\\Windows\\schemas\\EAPHost
- - C:\\Windows\\schemas\\EAPMethods
+ > You should check with Mobile Device Management (MDM) vendor, if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
+ > - C:\\Windows\\schemas\\EAPHost
+ > - C:\\Windows\\schemas\\EAPMethods
-
## EAP certificate filtering
-
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate.
Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
@@ -123,11 +119,11 @@ Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can
- The user might be prompted to select the certificate.
- The wrong certificate might be auto-selected and cause an authentication failure.
-A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
+A production ready deployment must have appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and appropriate certificate can be used for the authentication.
-EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample, or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
+EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
-- For Wi-Fi, look for the `` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags you'll find the complete EAP configuration. Replace the section under `` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
+- For Wi-Fi, look for the `` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
For information about EAP settings, see .
@@ -142,9 +138,9 @@ The following list describes the prerequisites for a certificate to be used with
- The certificate must have at least one of the following EKU properties:
- - Client Authentication. As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- - Any Purpose. This property is an EKU-defined one and is published by Microsoft, and is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- - All Purpose. As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
+ - Client Authentication: As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
+ - Any Purpose: This property is an EKU-defined one and is published by Microsoft. It is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
+ - All Purpose: As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client must chain to a trusted root CA.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
@@ -157,7 +153,6 @@ The following XML sample explains the properties for the EAP TLS XML, including
> For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.
-
```xml
@@ -261,7 +256,6 @@ The following XML sample explains the properties for the EAP TLS XML, including
> The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd.
-
Alternatively, you can use the following procedure to create an EAP configuration XML:
1. Follow steps 1 through 7 in the EAP configuration article.
@@ -290,8 +284,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article.
-
-
+## Related topics
-
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index d84509518f..d2ba3631d3 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -14,6 +14,16 @@ ms.date: 06/26/2017
# EMAIL2 CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
@@ -81,9 +91,8 @@ Supported operations are Get, Add, and Delete.
The braces {} around the GUID are required in the EMAIL2 configuration service provider.
-- For OMA Client Provisioning, the braces can be sent literally. For example, ``.
-
-- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D`
+- For OMA Client Provisioning, the braces can be sent literally. For example, ``
+- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D`
**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
@@ -99,9 +108,8 @@ Supported operations are Get, Add, Replace, and Delete.
Valid values are:
-- Email: normal email
-
-- VVM: visual voice mail
+- Email: Normal email
+- VVM: Visual voice mail
**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
@@ -113,16 +121,14 @@ Optional. Character string that specifies whether the outgoing server requires a
Supported operations are Get, Add, Replace, and Delete.
-Value options:
+Value options are:
-- 0 - Server authentication isn't required.
-- 1 - Server authentication is required.
+- 0 - Server authentication isn't required.
+- 1 - Server authentication is required.
> [!NOTE]
> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
-
-
**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
@@ -140,18 +146,15 @@ Supported operations are Get, Add, Replace, and Delete.
Value options:
-- -1: Specifies that all email currently on the server should be downloaded.
-
-- 7: Specifies that seven days’ worth of email should be downloaded.
-
-- 14: Specifies that 14 days’ worth of email should be downloaded.
-
-- 30: Specifies that 30 days’ worth of email should be downloaded.
+- -1: Specifies that all email currently on the server should be downloaded.
+- 7: Specifies that seven days’ worth of email should be downloaded.
+- 14: Specifies that 14 days’ worth of email should be downloaded.
+- 30: Specifies that 30 days’ worth of email should be downloaded.
**INSERVER**
Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
-- server name:port number
+- server name:port number
Supported operations are Get, Add, and Replace.
@@ -162,20 +165,16 @@ Supported operations are Get, Add, Replace, and Delete.
Value options:
-- 0 - Email updates must be performed manually.
-
-- 15 (default) - Wait for 15 minutes between updates.
-
-- 30 - Wait for 30 minutes between updates.
-
-- 60 - Wait for 60 minutes between updates.
-
-- 120 - Wait for 120 minutes between updates.
+- 0 - Email updates must be performed manually
+- 15 (default) - Wait for 15 minutes between updates
+- 30 - Wait for 30 minutes between updates
+- 60 - Wait for 60 minutes between updates
+- 120 - Wait for 120 minutes between updates.
**KEEPMAX**
Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts.
-The limit is specified in KB
+The limit is specified in KB.
Value options are 0, 25, 50, 125, and 250.
@@ -191,7 +190,7 @@ Supported operations are Get, Add, Replace, and Delete.
**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
-- server name:port number
+- server name:port number
Supported operations are Get, Add, Delete, and Replace.
@@ -208,8 +207,6 @@ Supported operations are Get, Add, Replace, and Delete.
> [!NOTE]
> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
-
-
**SERVICETYPE**
Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
@@ -217,8 +214,6 @@ Supported operations are Get, Add, Replace, and Delete.
> **Note** The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
-
-
**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
@@ -227,10 +222,10 @@ Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
**SERVERDELETEACTION**
-Optional. Character string that specifies how message is deleted on server. Value options:
+Optional. Character string that specifies how message is deleted on server. Value options are:
-- 1 - delete message on the server
-- 2 - keep the message on the server (delete to the Trash folder).
+- 1 - Delete message on the server.
+- 2 - Keep the message on the server (delete to the Trash folder).
Any other value results in default action, which depends on the transport.
@@ -244,19 +239,19 @@ Value type is string. Supported operations are Get, Add, Replace, and Delete.
**SYNCINGCONTENTTYPES**
Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
-- No data (0x0)
-- Contacts (0x1)
-- Mail (0x2)
-- Appointments (0x4)
-- Tasks (0x8)
-- Notes (0x10)
-- Feeds (0x60)
-- Network Photo (0x180)
-- Group and room (0x200)
-- Chat (0x400)
-- Email Recipient Email (0x800)
-- Server Link (0x1000)
-- All items (0xffffffff)
+- No data (0x0)
+- Contacts (0x1)
+- Mail (0x2)
+- Appointments (0x4)
+- Tasks (0x8)
+- Notes (0x10)
+- Feeds (0x60)
+- Network Photo (0x180)
+- Group and room (0x200)
+- Chat (0x400)
+- Email Recipient Email (0x800)
+- Server Link (0x1000)
+- All items (0xffffffff)
Supported operations are Get, Add, Replace, and Delete.
@@ -322,10 +317,10 @@ Optional. Character string that specifies if the incoming email server requires
Supported operations are Get, Add, Replace, and Delete.
-Value options:
+Value options are:
-- 0 - SSL isn't required.
-- 1 - SSL is required.
+- 0 - SSL isn't required.
+- 1 - SSL is required.
**TAGPROPS/812C000B**
Optional. Character string that specifies if the outgoing email server requires SSL.
@@ -334,37 +329,28 @@ Supported operations are Get and Replace.
Value options:
-- 0 - SSL isn't required.
-- 1 - SSL is required.
+- 0 - SSL isn't required.
+- 1 - SSL is required.
## Remarks
-
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \\ block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
-- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
-
-- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
-
-- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
+- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
+- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
+- Account details can't be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
-1. The device attempts to connect to the mail server using SSL.
-
-2. If the SSL connection fails, the device attempts to connect using deferred SSL.
-
-3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
-
-4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
-
-5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
-
-6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
+1. The device attempts to connect to the mail server using SSL
+2. If the SSL connection fails, the device attempts to connect using deferred SSL
+3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection
+4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection
+5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
+6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
## Related articles
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md
index 6cf9e1ad93..d345f06255 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@@ -11,14 +11,24 @@ ms.date: 05/21/2019
# EnrollmentStatusTracking CSP
-During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device usage until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar, to configure ESP for blocking the device usage until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. For more information, see [DMClient CSP](dmclient-csp.md).
The EnrollmentStatusTracking CSP was added in Windows 10, version 1903.
-
-The following example shows the EnrollmentStatusTracking CSP in tree format.
+The following shows the EnrollmentStatusTracking CSP in tree format.
```
./User/Vendor/MSFT
EnrollmentStatusTracking
@@ -59,6 +69,7 @@ EnrollmentStatusTracking
------------------------RebootRequired
--------HasProvisioningCompleted
```
+
**./Vendor/MSFT**
For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path.
@@ -93,10 +104,11 @@ Communicates the policy provider installation state back to ESP.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
-- 1 — NotInstalled
-- 2 — NotRequired
-- 3 — Completed
-- 4 — Error
+
+- 1—NotInstalled
+- 2—NotRequired
+- 3—Completed
+- 4—Error
**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/LastError**
Required. This node is supported only in device context.
@@ -127,8 +139,9 @@ This node specifies if the policy provider is registered for app provisioning.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. Expected values are as follows:
-- false — Indicates that the policy provider is not registered for app provisioning. This is the default.
-- true — Indicates that the policy provider is registered for app provisioning.
+
+- false—Indicates that the policy provider isn't registered for app provisioning. This is the default.
+- true—Indicates that the policy provider is registered for app provisioning.
**EnrollmentStatusTracking/Setup**
Required. This node is supported in both user context and device context.
@@ -150,7 +163,7 @@ Scope is permanent. Supported operation is Get.
**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName***
Optional. This node is supported in both user context and device context.
-Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true.
+Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it shouldn't show the tracking status message until the TrackingPoliciesCreated node has been set to true.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -161,8 +174,9 @@ Indicates if the provider has created the required policies for the ESP to use f
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is boolean. The expected values are as follows:
-- true — Indicates that the provider has created the required policies.
-- false — Indicates that the provider has not created the required policies. This is the default.
+
+- true—Indicates that the provider has created the required policies.
+- false—Indicates that the provider hasn't created the required policies. This is the default.
**EnrollmentStatusTracking/Setup/Apps/Tracking**
Required. This node is supported in both user context and device context.
@@ -178,7 +192,7 @@ Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_**
Optional. This node is supported in both user context and device context.
-Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP does not use the app name directly.
+Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP doesn't use the app name directly.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -189,21 +203,23 @@ Represents the installation state for the app. The policy providers (not the MDM
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
-- 1 — NotInstalled
-- 2 — InProgress
-- 3 — Completed
-- 4 — Error
+
+- 1—NotInstalled
+- 2—InProgress
+- 3—Completed
+- 4—Error
**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired**
Optional. This node is supported in both user context and device context.
-Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers do not set this node, the ESP will not reboot the device for the app installation.
+Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers don't set this node, the ESP won't reboot the device for the app installation.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. Expected values are as follows:
-- 1 — NotRequired
-- 2 — SoftReboot
-- 3 — HardReboot
+
+- 1—NotRequired
+- 2—SoftReboot
+- 3—HardReboot
**EnrollmentStatusTracking/Setup/HasProvisioningCompleted**
Required. This node is supported in both user context and device context.
@@ -212,5 +228,10 @@ ESP sets this node when it completes. Providers can query this node to determine
Scope is permanent. Supported operation is Get.
Value type is boolean. Expected values are as follows:
-- true — Indicates that ESP has completed. This is the default.
-- false — Indicates that ESP is displayed, and provisioning is still going.
\ No newline at end of file
+
+- true—Indicates that ESP has completed. This is the default.
+- false—Indicates that ESP is displayed, and provisioning is still going.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md
index 8893e068c9..535d6ce24b 100644
--- a/windows/client-management/mdm/enterpriseapn-csp.md
+++ b/windows/client-management/mdm/enterpriseapn-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAPN CSP
-description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
+description: Learn how the EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2
ms.reviewer:
manager: dansimp
@@ -14,10 +14,18 @@ ms.date: 09/22/2017
# EnterpriseAPN CSP
-The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet.
+The table below shows the applicability of Windows:
-> [!Note]
-> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet.
The following example shows the EnterpriseAPN configuration service provider in tree format.
```
@@ -39,111 +47,112 @@ EnterpriseAPN
--------HideView
```
**EnterpriseAPN**
-
The root node for the EnterpriseAPN configuration service provider.
+The root node for the EnterpriseAPN configuration service provider.
**EnterpriseAPN/***ConnectionName*
-
Name of the connection as seen by Windows Connection Manager.
+Name of the connection as seen by Windows Connection Manager.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/APNName**
-
Enterprise APN name.
+Enterprise APN name.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IPType**
-
This value can be one of the following values:
+This value can be one of the following:
-- IPv4 - only IPV4 connection type
-- IPv6 - only IPv6 connection type
-- IPv4v6 (default)- IPv4 and IPv6 concurrently.
-- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat
+- IPv4 - only IPV4 connection type.
+- IPv6 - only IPv6 connection type.
+- IPv4v6 (default)- IPv4 and IPv6 concurrently.
+- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IsAttachAPN**
-
Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
+Boolean value that indicates whether this APN should be requested as part of an LTE Attach.
-
Supported operations are Add, Get, Delete, and Replace.
+Default value is false.
+
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/ClassId**
-
GUID that defines the APN class to the modem. This GUID is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.
+GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/AuthType**
-
Authentication type. This value can be one of the following values:
+Authentication type. This value can be one of the following:
-- None (default)
-- Auto
-- PAP
-- CHAP
-- MSCHAPv2
+- None (default)
+- Auto
+- PAP
+- CHAP
+- MSCHAPv2
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/UserName**
-
User name for use with PAP, CHAP, or MSCHAPv2 authentication.
+User name for use with PAP, CHAP, or MSCHAPv2 authentication.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Password**
-
Password corresponding to the username.
+Password corresponding to the username.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IccId**
-
Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
+Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/AlwaysOn**
-
Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
+Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
-
The default value is true.
+The default value is true.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Enabled**
-
Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
+Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
-
The default value is true.
+The default value is true.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Roaming**
-
Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
+Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values are:
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/Settings**
-
Added in Windows 10, version 1607. Node that contains global settings.
+Added in Windows 10, version 1607. Node that contains global settings.
**EnterpriseAPN/Settings/AllowUserControl**
-
Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
+Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
-
The default value is false.
+The default value is false.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**EnterpriseAPN/Settings/HideView**
-
Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
+Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
-
The default value is false.
+The default value is false.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
## Examples
@@ -290,15 +299,4 @@ atomicZ
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
deleted file mode 100644
index b59fc137e1..0000000000
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ /dev/null
@@ -1,534 +0,0 @@
----
-title: EnterpriseAppManagement CSP
-description: Handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP).
-ms.assetid: 698b8bf4-652e-474b-97e4-381031357623
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/26/2017
----
-
-# EnterpriseAppManagement CSP
-
-
-The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment.
-
-> [!NOTE]
-> The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core.
-
-
-The following example shows the EnterpriseAppManagement configuration service provider in tree format.
-
-```console
-./Vendor/MSFT
-EnterpriseAppManagement
-----EnterpriseID
---------EnrollmentToken
---------StoreProductID
---------StoreUri
---------CertificateSearchCriteria
---------Status
---------CRLCheck
---------EnterpriseApps
-------------Inventory
-----------------ProductID
---------------------Version
---------------------Title
---------------------Publisher
---------------------InstallDate
-------------Download
-----------------ProductID
---------------------Version
---------------------Name
---------------------URL
---------------------Status
---------------------LastError
---------------------LastErrorDesc
---------------------DownloadInstall
-```
-
-***EnterpriseID***
-Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications.
-
-Supported operations are Add, Delete, and Get.
-
-***EnterpriseID*/EnrollmentToken**
-Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic.
-
-Supported operations are Get, Add, and Replace.
-
-***EnterpriseID*/StoreProductID**
-Required. The node to host the ProductId node. Scope is dynamic.
-
-Supported operation is Get.
-
-**/StoreProductID/ProductId**
-The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic.
-
-Supported operations are Get and Add.
-
-***EnterpriseID*/StoreUri**
-Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic.
-
-Supported operations are Get and Add.
-
-***EnterpriseID*/CertificateSearchCriteria**
-Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](/windows/win32/api/wincrypt/nf-wincrypt-certstrtonamea) function. This search parameter is case sensitive. Scope is dynamic.
-
-Supported operations are Get and Add.
-
-> [!NOTE]
-> Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00
-
-
-
-***EnterpriseID*/Status**
-Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic.
-
-Supported operation is Get.
-
-***EnterpriseID*/CRLCheck**
-Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic.
-
-Supported operations are Get, Add, and Replace.
-
-***EnterpriseID*/EnterpriseApps**
-Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
-
-Supported operation is Get.
-
-**/EnterpriseApps/Inventory**
-Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
-
-Supported operation is Get.
-
-**/Inventory/***ProductID*
-Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic.
-
-Supported operation is Get.
-
-**/Inventory/*ProductID*/Version**
-Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic.
-
-Supported operation is Get.
-
-**/Inventory/*ProductID*/Title**
-Required. The character string that contains the name of the installed enterprise application. Scope is dynamic.
-
-Supported operation is Get.
-
-**/Inventory/*ProductID*/Publisher**
-Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic.
-
-Supported operation is Get.
-
-**/Inventory/*ProductID*/InstallDate**
-Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic.
-
-Supported operation is Get.
-
-**/EnterpriseApps/Download**
-Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic.
-
-Supported operation is Get.
-
-**/Download/***ProductID*
-Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic.
-
-Supported operations are Get, Add, and Replace.
-
-**/Download/*ProductID*/Version**
-Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic.
-
-Supported operations are Get, Add, and Replace.
-
-**/Download/*ProductID*/Name**
-Required. The character string that contains the name of the installed application. Scope is dynamic.
-
-Supported operation is Get.
-
-**/Download/*ProductID*/URL**
-Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic.
-
-Supported operations are Get, Add, and Replace.
-
-**/Download/*ProductID*/Status**
-Required. The integer value that indicates the status of the current download process. The following table shows the possible values.
-
-|Value|Description|
-|--- |--- |
-|0: CONFIRM|Waiting for confirmation from user.|
-|1: QUEUED|Waiting for download to start.|
-|2: DOWNLOADING|In the process of downloading.|
-|3: DOWNLOADED|Waiting for installation to start.|
-|4: INSTALLING|Handed off for installation.|
-|5: INSTALLED|Successfully installed|
-|6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)|
-|7:DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.|
-
-Scope is dynamic. Supported operations are Get, Add, and Replace.
-
-**/Download/*ProductID*/LastError**
-Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic.
-
-Supported operation is Get.
-
-**/Download/*ProductID*/LastErrorDesc**
-Required. The character string that contains the human readable description of the last error code.
-
-**/Download/*ProductID*/DownloadInstall**
-Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic.
-
-Supported operation is Exec.
-
-## Remarks
-
-
-### Install and Update Line of Business (LOB) applications
-
-A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section.
-
-### Uninstall Line of Business (LOB) applications
-
-A workplace can also remotely uninstall Line of Business applications on the device. It's not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section.
-
-### Query installed Store application
-
-You can determine if a Store application is installed on a system. First, you need the Store application GUID. You can get the Store application GUID by going to the URL for the Store application.
-
-The Microsoft Store application has a GUID of d5dc1ebb-a7f1-df11-9264-00237de2db9e.
-
-Use the following SyncML format to query to see if the application is installed on a managed device:
-
-```xml
-
- 1
-
-
- ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D
-
-
-
-```
-
-Response from the device (it contains list of subnodes if this app is installed in the device).
-
-```xml
-
- 3
- 1
- 2
-
-
-
- ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D
-
-
- node
-
-
-Version/Title/Publisher/InstallDate
-
-
-```
-
-### Node Values
-
-All node values under the ProviderID interior node represent the policy values that the management server wants to set.
-
-- An Add or Replace command on those nodes returns success in both of the following cases:
-
- - The value is applied to the device.
-
- - The value isn’t applied to the device because the device has a more secure value set already.
-
-From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
-
-- A Get command on those nodes returns the value that the server pushes down to the device.
-
-- If a Replace command fails, the node value is set to be the previous value before Replace command was applied.
-
-- If an Add command fails, the node isn't created.
-
-The value applied to the device can be queried via the nodes under the DeviceValue interior node.
-
-## OMA DM examples
-
-
-Enroll enterprise ID “4000000001” for the first time:
-
-```xml
-
- 2
-
-
- ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken
-
-
- chr
-
- InsertTokenHere
-
-
-
- ./Vendor/MSFT/EnterpriseAppManagement/4000000001/CertificateSearchCriteria
-
-
-
- chr
-
- SearchCriteriaInsertedHere
-
-
-```
-
-Update the enrollment token (for example, to update an expired application enrollment token):
-
-```xml
-
- 2
-
-
- ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken
-
-
- chr
-
- InsertUpdaedTokenHere
-
-
-```
-
-Query all installed applications that belong to enterprise ID “4000000001”:
-
-```xml
-
- 2
-
-
-
- ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory?list=StructData
-
-
-
-
-```
-
-Response from the device (that contains two installed applications):
-
-```xml
-
- 3
- 1
- 2
-
-
-
- ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory
-
-
-
- node
-
-
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D
-
-
-
- node
-
-
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D
-
-
-
- node
-
-
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version
-
-
- 1.0.0.0
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title
-
-
- Sample1
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher
-
-
- ExamplePublisher
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate
-
-
- 2012-10-30T21:09:52Z
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version
-
-
- 1.0.0.0
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title
-
-
- Sample2
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher
-
-
- Contoso
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate
-
-
- 2012-10-31T21:23:31Z
-
-
-```
-
-## Install and update an enterprise application
-
-
-Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”.
-
-To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application doesn't exist, the application will be silently installed without any user interaction. If the application can't be installed, the user will be notified with an Alert dialog.
-
-> [!NOTE]
-> - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
->
-> - The application product ID curly braces need to be escaped where { is %7B and } is %7D.
-
-
-
-```xml
-
- 2
-
-
- 3
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Name
-
-
-
- chr
-
- ContosoApp1
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/URL
-
-
-
- chr
-
- http://contoso.com/enterpriseapps/ContosoApp1.xap
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Version
-
-
- chr
-
- 2.0.0.0
-
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall
-
-
- 1
-
-
-
- 4
-
-
-
-./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall
-
-
-
- int
-
- 0
-
-
-
-```
-
-## Uninstall enterprise application
-
-
-Uninstall an installed enterprise application with product ID “{7BB316008A-141D-4A79-810F-8B764C4CFDFB }”:
-
-```xml
-
-
-
- 2
-
-
- ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D
-
-
-
-
-
-
-```
-
-## Related topics
-
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 5833aa9062..b2a5361647 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement CSP
-description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
+description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions).
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -13,7 +13,18 @@ manager: dansimp
# EnterpriseAppVManagement CSP
-The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 or Windows 11 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
```
@@ -45,68 +56,98 @@ EnterpriseAppVManagement
------------Policy
```
**./Vendor/MSFT/EnterpriseAppVManagement**
-
Root node for the EnterpriseAppVManagement configuration service provider.
+Root node for the EnterpriseAppVManagement configuration service provider.
**AppVPackageManagement**
-
Used to query App-V package information (post-publish).
+Used to query App-V package information (post-publish).
**AppVPackageManagement/EnterpriseID**
-
Used to query package information. Value is always "HostedInstall".
+Used to query package information. Value is always "HostedInstall".
**AppVPackageManagement/EnterpriseID/PackageFamilyName**
-
Package ID of the published App-V package.
+Package ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName***
-
Version ID of the published App-V package.
+Version ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name**
-
Name specified in the published AppV package.
-
Value type is string. Supported operation is Get.
+Name specified in the published AppV package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version**
-
Version specified in the published AppV package.
-
Value type is string. Supported operation is Get.
+Version specified in the published AppV package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher**
-
Publisher as specified in the published asset information of the AppV package.
-
Value type is string. Supported operation is Get.
+Publisher as specified in the published asset information of the AppV package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation**
-
Local package path specified in the published asset information of the AppV package.
-
Value type is string. Supported operation is Get.
+Local package path specified in the published asset information of the AppV package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate**
-
Date the app was installed, as specified in the published asset information of the AppV package.
-
Value type is string. Supported operation is Get.
+Date the app was installed, as specified in the published asset information of the AppV package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users**
-
Registered users for app, as specified in the published asset information of the AppV package.
-
Value type is string. Supported operation is Get.
+Registered users for app, as specified in the published asset information of the AppV package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId**
-
Package ID of the published App-V package.
-
Value type is string. Supported operation is Get.
+ Package ID of the published App-V package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId**
-
Version ID of the published App-V package.
-
Value type is string. Supported operation is Get.
+Version ID of the published App-V package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri**
-
Package URI of the published App-V package.
-
Value type is string. Supported operation is Get.
+Package URI of the published App-V package.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPublishing**
-
Used to monitor publishing operations on App-V.
+Used to monitor publishing operations on App-V.
**AppVPublishing/LastSync**
-
Used to monitor publishing status of last sync operation.
+Used to monitor publishing status of last sync operation.
**AppVPublishing/LastSync/LastError**
-
Error code and error description of last sync operation.
-
Value type is string. Supported operation is Get.
+Error code and error description of last sync operation.
+
+Value type is string.
+
+Supported operation is Get.
**AppVPublishing/LastSync/LastErrorDescription**
-
Last sync error status. One of the following values may be returned:
+Last sync error status. One of the following values may be returned:
- SYNC\_ERR_NONE (0) - No errors during publish.
- SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish.
@@ -116,10 +157,12 @@ EnterpriseAppVManagement
- SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish.
- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish.
-
Value type is string. Supported operation is Get.
+Value type is string.
+
+Supported operation is Get.
**AppVPublishing/LastSync/SyncStatusDescription**
-
Latest sync in-progress stage. One of the following values may be returned:
+Latest sync in-progress stage. One of the following values may be returned:
- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle.
- SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress.
@@ -127,9 +170,12 @@ EnterpriseAppVManagement
- SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress.
- SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress.
-
Value type is string. Supported operation is Get.
+Value type is string.
-AppVPublishing/LastSync/SyncProgress
Latest sync state. One of the following values may be returned:
+Supported operation is Get.
+
+**AppVPublishing/LastSync/SyncProgress**
+Latest sync state. One of the following values may be returned:
- SYNC\_STATUS_IDLE (0) - App-V Sync is idle.
- SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing.
@@ -137,22 +183,30 @@ EnterpriseAppVManagement
- SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete.
- SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot.
-
Value type is string. Supported operation is Get.
+Value type is string.
+
+Supported operation is Get.
**AppVPublishing/Sync**
-
Used to perform App-V synchronization.
+Used to perform App-V synchronization.
**AppVPublishing/Sync/PublishXML**
-
Supported operations are Get, Delete, and Execute.
-
+Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol,, see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8).
+Supported operations are Get, Delete, and Execute.
**AppVDynamicPolicy**
-
Used to set App-V Policy Configuration documents for publishing packages.
+Used to set App-V Policy Configuration documents for publishing packages.
**AppVDynamicPolicy/*ConfigurationId***
-
ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
+ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
**AppVDynamicPolicy/*ConfigurationId*/Policy**
-
XML for App-V Policy Configuration documents for publishing packages.
-
Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file
+XML for App-V Policy Configuration documents for publishing packages.
+
+Value type is xml.
+
+Supported operations are Add, Get, Delete, and Replace.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index d8ec6f71d5..2c237eb14f 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseDataProtection CSP
-description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
+description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
ms.reviewer:
manager: dansimp
@@ -14,20 +14,28 @@ ms.date: 08/09/2017
# EnterpriseDataProtection CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
-> [!Note]
-> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
-> - This CSP was added in Windows 10, version 1607.
+> [!NOTE]
+> To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
-
+While Windows Information Protection has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
-While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
+To learn more about Windows Information Protection, see the following articles:
-To learn more about WIP, see the following articles:
-
-- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
+- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
The following example shows the EnterpriseDataProtection CSP in tree format.
@@ -53,31 +61,33 @@ The root node for the CSP.
The root node for the Windows Information Protection (WIP) configuration settings.
**Settings/EDPEnforcementLevel**
-Set the WIP enforcement level. Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
+Set the WIP enforcement level.
+
+> [!NOTE]
+> Setting this value isn't sufficient to enable Windows Information Protection on the device. Attempts to change this value will fail when the WIP cleanup is running.
The following list shows the supported values:
-- 0 (default) – Off / No protection (decrypts previously protected data).
-- 1 – Silent mode (encrypt and audit only).
-- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
-- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
+- 0 (default) – Off / No protection (decrypts previously protected data).
+- 1 – Silent mode (encrypt and audit only).
+- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
+- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/EnterpriseProtectedDomainNames**
-A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
+A list of domains used by the enterprise for its user identities separated by pipes ("|"). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
-> [!Note]
+> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
-
Here are the steps to create canonical domain names:
-1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
-2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
-3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0).
+1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
+2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
+3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0).
Supported operations are Add, Get, Replace, and Delete. Value type is string.
@@ -89,8 +99,8 @@ Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the us
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed.
+- 1 (default) – Allowed.
Most restricted value is 0.
@@ -231,20 +241,20 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
**Settings/RevokeOnUnenroll**
-This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
+This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
The following list shows the supported values:
-- 0 – Don't revoke keys.
-- 1 (default) – Revoke keys.
+- 0 – Don't revoke keys.
+- 1 (default) – Revoke keys.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/RevokeOnMDMHandoff**
-Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
+Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
-- 0 - Don't revoke keys
-- 1 (default) - Revoke keys
+- 0 - Don't revoke keys.
+- 1 (default) - Revoke keys.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
@@ -254,29 +264,29 @@ TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS t
Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
**Settings/AllowAzureRMSForEDP**
-Specifies whether to allow Azure RMS encryption for WIP.
+Specifies whether to allow Azure RMS encryption for Windows Information Protection.
-- 0 (default) – Don't use RMS.
-- 1 – Use RMS.
+- 0 (default) – Don't use RMS.
+- 1 – Use RMS.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/SMBAutoEncryptedFileExtensions**
-Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.
+Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list.
When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
Supported operations are Add, Get, Replace and Delete. Value type is string.
**Settings/EDPShowIcons**
-Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
+Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app.
The following list shows the supported values:
-- 0 (default) - No WIP overlays on icons or tiles.
-- 1 - Show WIP overlays on protected files and apps that can only create enterprise content.
+- 0 (default) - No WIP overlays on icons or tiles.
+- 1 - Show WIP overlays on protected files and apps that can only create enterprise content.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Status**
-A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
+A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
Suggested values:
@@ -284,25 +294,26 @@ Suggested values:
|--- |--- |--- |--- |--- |
|4|3|2|1|0|
-
-
Bit 0 indicates whether WIP is on or off.
Bit 1 indicates whether AppLocker WIP policies are set.
-Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
+Bit 3 indicates whether the mandatory Windows Information Protection policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
-Here's the list of mandatory WIP policies:
+Here's the list of mandatory WIP policies:
-- EDPEnforcementLevel in EnterpriseDataProtection CSP
-- DataRecoveryCertificate in EnterpriseDataProtection CSP
-- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP
-- NetworkIsolation/EnterpriseIPRange in Policy CSP
-- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP
+- EDPEnforcementLevel in EnterpriseDataProtection CSP
+- DataRecoveryCertificate in EnterpriseDataProtection CSP
+- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP
+- NetworkIsolation/EnterpriseIPRange in Policy CSP
+- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP
Bits 2 and 4 are reserved for future use.
Supported operation is Get. Value type is integer.
-
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
+
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index 13aead751f..8fe5f44ab9 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseDesktopAppManagement CSP
-description: The EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
+description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
ms.reviewer:
manager: dansimp
@@ -14,6 +14,16 @@ ms.date: 07/11/2017
# EnterpriseDesktopAppManagement CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
@@ -96,8 +106,6 @@ Status of the application. Value type is string. Supported operation is Get.
| Enforcement Failed | 60 |
| Enforcement Completed | 70 |
-
-
**MSI/*ProductID*/LastError**
The last error code during the application installation process. This error code is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this error could be the result of executing MSIExec.exe or the error result from an API that failed.
@@ -116,10 +124,8 @@ Added in the March service release of Windows 10, version 1607. A gateway (or de
Value type is string. Supported operation is Get.
-
## Examples
-
**SyncML to request CSP version information**
```xml
@@ -146,9 +152,7 @@ The following table describes the fields in the previous sample:
| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor. |
-
-
-**SyncML to perform MSI operations for application uninstall**
+**SyncML to perform MSI operations for application uninstall:**
```xml
@@ -202,8 +206,6 @@ The following table describes the fields in the previous sample:
| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
-
-
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
```xml
@@ -268,9 +270,7 @@ The following table describes the fields in the previous sample:
> [!Note]
> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
-
-
-**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation)**
+**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation):**
```xml
@@ -339,8 +339,6 @@ The following table MsiInstallJob describes the schema elements.
|RetryCount|The number of times the download and installation operation will be retried before the installation will be marked as failed.|
|RetryInterval|Amount of time, in minutes between retry operations.|
-
-
Here's an example of a common response to a request
```xml
@@ -369,7 +367,6 @@ Here's an example of a common response to a request
## How to determine which installation context to use for an MSI package
-
The following tables show how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client.
For Intune standalone environment, the MSI package will determine the MSI execution context.
@@ -388,22 +385,20 @@ The following table applies to SCCM hybrid environment.
## How to determine the package type from the MSI package
-
-- ALLUSERS="" - per-user package type
-- ALLUSERS=1 - per-machine package type
-- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type
+- ALLUSERS="" - per-user package type
+- ALLUSERS=1 - per-machine package type
+- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type
Properties can be specified in the package, passed through the command line, modified by a transform, or (more commonly) selected through a user interface dialog.
Here's a list of references:
-- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10))
-- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
-- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
+- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10))
+- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
+- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
## Alert example
-
```xml
4
@@ -421,3 +416,6 @@ Here's a list of references:
```
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 709013b0bd..bfe075df09 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -14,6 +14,17 @@ ms.date: 11/19/2021
# EnterpriseModernAppManagement CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
> [!Note]
@@ -65,6 +76,7 @@ EnterpriseModernAppManagement
----------------AddLicense
----------------GetLicenseFromStore
```
+
**Device or User context**
For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
@@ -212,16 +224,19 @@ Added in Windows 10, version 1809. Interior node for the managing updates throug
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it's for a set of apps, it's the PackageFamilyName of the main app.
-
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
Added in Windows 10, version 1809. Specifies the app channel ID.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
@@ -229,12 +244,16 @@ Added in Windows 10, version 1809. Interior node used to specify the effective a
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
Added in Windows 10, version 1809. Returns the last user channel ID on the device.
-Value type is string. Supported operation is Get.
+Value type is string.
+
+Supported operation is Get.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
Added in Windows 10, version 1809. Returns the last user release ID on the device.
-Value type is string. Supported operation is Get.
+Value type is string.
+
+Supported operation is Get.
**.../***PackageFamilyName*
Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
@@ -244,7 +263,6 @@ Supported operations are Get and Delete.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
-
Here's an example for uninstalling an app:
```xml
@@ -274,22 +292,30 @@ Supported operations are Get and Delete.
**.../*PackageFamilyName*/*PackageFullName*/Name**
-Required. Name of the app. Value type is string.
+Required. Name of the app.
+
+Value type is string.
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Version**
-Required. Version of the app. Value type is string.
+Required. Version of the app.
+
+Value type is string.
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Publisher**
-Required. Publisher name of the app. Value type is string.
+Required. Publisher name of the app.
+
+Value type is string.
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Architecture**
-Required. Architecture of installed package. Value type is string.
+Required. Architecture of installed package.
+
+Value type is string.
> [!Note]
> Not applicable to XAP files.
@@ -297,7 +323,9 @@ Required. Architecture of installed package. Value type is string.
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
-Required. Install location of the app on the device. Value type is string.
+Required. Install location of the app on the device.
+
+Value type is string.
> [!Note]
> Not applicable to XAP files.
@@ -313,12 +341,16 @@ Required. Whether or not the app is a framework package. Value type is int. The
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/IsBundle**
-Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases.
+
+Value type is int.
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/InstallDate**
-Required. Date the app was installed. Value type is string.
+Required. Date the app was installed.
+
+Value type is string.
Supported operation is Get.
@@ -331,13 +363,15 @@ Required. Resource ID of the app. This value is null for the main app, ~ for a b
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/PackageStatus**
-Required. Provides information about the status of the package. Value type is int. Valid values are:
+Required. Provides information about the status of the package.
-- OK (0) - The package is usable.
-- LicenseIssue (1) - The license of the package isn't valid.
-- Modified (2) - The package payload was modified by an unknown source.
-- Tampered (4) - The package payload was tampered intentionally.
-- Disabled (8) - The package isn't available for use. It can still be serviced.
+Value type is int. Valid values are:
+
+- OK (0) - The package is usable.
+- LicenseIssue (1) - The license of the package isn't valid.
+- Modified (2) - The package payload was modified by an unknown source.
+- Tampered (4) - The package payload was tampered intentionally.
+- Disabled (8) - The package isn't available for use. It can still be serviced.
> [!Note]
> Not applicable to XAP files.
@@ -355,15 +389,17 @@ Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Users**
Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
-- Not Installed = 0
-- Staged = 1
-- Installed = 2
-- Paused = 6
+- Not Installed = 0
+- Staged = 1
+- Installed = 2
+- Paused = 6
Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned**
-Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+Required. The value is 0 or 1 that indicates if the app is provisioned on the device.
+
+The value type is int.
Supported operation is Get.
@@ -371,7 +407,9 @@ Supported operation is Get.
Added in Windows 10, version 2004.
Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
-The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int.
+The value is 1 if the package is a stub package and 0 (zero) for all other cases.
+
+Value type is int.
Supported operation is Get.
@@ -388,7 +426,9 @@ Added in Windows 10, version 1511. The *SettingValue* and data represent a key v
This setting only works for apps that support the feature and it's only supported in the user context.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
The following example sets the value for the 'Server'
@@ -425,7 +465,9 @@ The following example gets all managed app settings for a specific app.
**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate**
Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
-Supported operations are Add, Get, Delete, and Replace. Value type is integer.
+Supported operations are Add, Get, Delete, and Replace.
+
+Value type is integer.
Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins).
@@ -443,11 +485,14 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to
NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
-Value type is integer. Supported operations are Add, Get, and Replace.
+Value type is integer.
+
+Supported operations are Add, Get, and Replace.
Valid values:
-- 0 – app isn't in the nonremovable app policy list
-- 1 – app is included in the nonremovable app policy list
+
+- 0 – app isn't in the nonremovable app policy list
+- 1 – app is included in the nonremovable app policy list
**Examples:**
@@ -526,7 +571,6 @@ Supported operations are Get and Add.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
-
**AppInstallation/*PackageFamilyName*/StoreInstall**
Required. Command to perform an install of an app and a license from the Microsoft Store.
@@ -535,7 +579,8 @@ Supported operation is Execute, Add, Delete, and Get.
**AppInstallation/*PackageFamilyName*/HostedInstall**
Required. Command to perform an install of an app package from a hosted location (this location can be a local drive, a UNC, or https data source).
-The following list shows the supported deployment options:
+The following list shows the supported deployment options:
+
- ForceApplicationShutdown
- DevelopmentMode
- InstallAllResources
@@ -557,8 +602,6 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
-
-
**AppInstallation/*PackageFamilyName*/LastErrorDesc**
Required. Description of last error relating to the app installation.
@@ -567,14 +610,13 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
-
**AppInstallation/*PackageFamilyName*/Status**
Required. Status of app installation. The following values are returned:
-- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed.
-- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated.
-- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
-- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear.
+- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed.
+- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated.
+- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
+- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear.
Supported operation is Get.
@@ -590,7 +632,6 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
-
**AppLicenses**
Required node. Used to manage licenses for app scenarios.
@@ -603,23 +644,23 @@ Optional node. License ID for a store installed app. The license ID is generally
Supported operations are Add, Get, and Delete.
**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory**
-Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value:
+Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid values are:
-- Unknown - unknown license category
-- Retail - license sold through retail channels, typically from the Microsoft Store
-- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business
-- OEM - license issued to an OEM
-- Developer - developer license, typically installed during the app development or side-loading scenarios.
+- Unknown - unknown license category
+- Retail - license sold through retail channels, typically from the Microsoft Store
+- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business
+- OEM - license issued to an OEM
+- Developer - developer license, typically installed during the app development or side-loading scenarios.
Supported operation is Get.
**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage**
-Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values:
+Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values are:
-- Unknown - usage is unknown
-- Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
-- Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
-- Enterprise Root -
+- Unknown - usage is unknown.
+- Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
+- Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
+- Enterprise Root -
Supported operation is Get.
@@ -640,7 +681,6 @@ Supported operation is Execute.
## Examples
-
For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
Query the device for a specific app subcategory, such as nonStore apps.
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index aea59b7da0..4a840115e0 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -13,10 +13,21 @@ manager: dansimp
# eUICCs CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709.
-The following example shows the eUICCs configuration service provider in tree format.
+The following shows the eUICCs configuration service provider in tree format.
+
```
./Device/Vendor/MSFT
eUICCs
@@ -44,8 +55,9 @@ eUICCs
------------ResetToFactoryState
------------Status
```
+
**./Vendor/MSFT/eUICCs**
-Root node.
+Root node for the eUICCs CSP.
**_eUICC_**
Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this association could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
@@ -65,12 +77,16 @@ Supported operation is Get. Value type is boolean.
**_eUICC_/PPR1Allowed**
Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed.
-Supported operation is Get. Value type is boolean.
+Supported operation is Get.
+
+Value type is boolean.
**_eUICC_/PPR1AlreadySet**
Required. Indicates whether the eUICC already has a profile with PPR1.
-Supported operation is Get. Value type is boolean.
+Supported operation is Get.
+
+Value type is boolean.
**_eUICC_/DownloadServers**
Interior node. Represents default SM-DP+ discovery requests.
@@ -85,12 +101,16 @@ Supported operations are Add, Get, and Delete.
**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
-Supported operation is Get. Value type is integer. Default value is 1.
+Supported operation is Get.
+
+Value type is integer. Default value is 1.
**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
Required. Indicates whether the discovered profile must be enabled automatically after install. This setting must be defined by the MDM when the ServerName subtree is created.
-Supported operations are Add, Get, and Replace. Value type is bool.
+Supported operations are Add, Get, and Replace.
+
+Value type is bool.
**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.
@@ -105,22 +125,30 @@ Supported operations are Add, Get, and Delete.
**_eUICC_/Profiles/_ICCID_/ServerName**
Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
-Supported operations are Add and Get. Value type is string.
+Supported operations are Add and Get.
+
+Value type is string.
**_eUICC_/Profiles/_ICCID_/MatchingID**
Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
-Supported operations are Add and Get. Value type is string.
+Supported operations are Add and Get.
+
+Value type is string.
**_eUICC_/Profiles/_ICCID_/State**
Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
-Supported operation is Get. Value type is integer. Default value is 1.
+Supported operation is Get.
+
+Value type is integer. Default value is 1.
**_eUICC_/Profiles/_ICCID_/IsEnabled**
Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once it’s successfully downloaded and installed on the device. Can also be queried and updated by the CSP.
-Supported operations are Add, Get, and Replace. Value type is bool.
+Supported operations are Add, Get, and Replace.
+
+Value type is bool.
**_eUICC_/Policies**
Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile).
@@ -130,7 +158,9 @@ Supported operation is Get.
**_eUICC_/Policies/LocalUIEnabled**
Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
-Supported operations are Get and Replace. Value type is boolean. Default value is true.
+Supported operations are Get and Replace.
+
+Value type is boolean. Default value is true.
**_eUICC_/Actions**
Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active).
@@ -140,9 +170,17 @@ Supported operation is Get.
**_eUICC_/Actions/ResetToFactoryState**
Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
-Supported operation is Execute. Value type is string.
+Supported operation is Execute.
+
+Value type is string.
**_eUICC_/Actions/Status**
Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
-Supported value is Get. Value type is integer. Default is 0.
+Supported value is Get.
+
+Value type is integer. Default is 0.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index a9735120d7..022801745a 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -5,14 +5,25 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
-ms.date: 11/29/2021
+author: dansimp
ms.reviewer:
manager: dansimp
---
# Firewall configuration service provider (CSP)
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
@@ -101,141 +112,145 @@ Firewall
----------------Status
----------------Name
```
+
**./Vendor/MSFT/Firewall**
-
Root node for the Firewall configuration service provider.
+Root node for the Firewall configuration service provider.
**MdmStore**
-
Interior node.
-
Supported operation is Get.
+Interior node.
+Supported operation is Get.
**MdmStore/Global**
-
Interior node.
-
Supported operations are Get.
+Interior node.
+Supported operations are Get.
**MdmStore/Global/PolicyVersionSupported**
-
Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.
-
Value type in integer. Supported operation is Get.
+Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.
+Value type in integer. Supported operation is Get.
**MdmStore/Global/CurrentProfiles**
-
Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.
-
Value type in integer. Supported operation is Get.
+Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.
+Value type in integer. Supported operation is Get.
**MdmStore/Global/DisableStatefulFtp**
-
Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
-
Default value is false.
-
Data type is bool. Supported operations are Add, Get, Replace, and Delete.
+Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
+Default value is false.
+
+Data type is bool. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/SaIdleTime**
-
This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-
Default value is 300.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
+Default value is 300.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PresharedKeyEncoding**
-
Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-
Default value is 1.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
+Default value is 1.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/IPsecExempt**
-
This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-
Default value is 0.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/CRLcheck**
-
This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:
-
-
0 disables CRL checking
-
1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.
-
2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
-
-
Default value is 0.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:
+
+- 0 disables CRL checking
+- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.
+- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
+
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PolicyVersion**
-
This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.
-
Value type is string. Supported operation is Get.
+This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.
+Value type is string. Supported operation is Get.
**MdmStore/Global/BinaryVersionSupported**
-
This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
-
Value type is string. Supported operation is Get.
+This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
+Value type is string. Supported operation is Get.
**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
-
This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
Boolean value. Supported operations are Add, Get, Replace, and Delete.
+This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Boolean value. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/EnablePacketQueue**
-
This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
-
-
0x00 indicates that all queuing is to be disabled
-
0x01 specifies that inbound encrypted packets are to be queued
-
0x02 specifies that packets are to be queued after decryption is performed for forwarding
-
+- 0x00 indicates that all queuing is to be disabled
+- 0x01 specifies that inbound encrypted packets are to be queued
+- 0x02 specifies that packets are to be queued after decryption is performed for forwarding
-
Default value is 0.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/DomainProfile**
-
Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**MdmStore/PrivateProfile**
-
Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**MdmStore/PublicProfile**
-
Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**/EnableFirewall**
-
Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-
Default value is true.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableStealthMode**
-
Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-
Default value is false.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/Shielded**
-
Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
-
Default value is false.
-
Value type is bool. Supported operations are Get and Replace.
+Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
+Default value is false.
+
+Value type is bool. Supported operations are Get and Replace.
**/DisableUnicastResponsesToMulticastBroadcast**
-
Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-
Default value is false.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableInboundNotifications**
-
Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-
Default value is false.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AuthAppsAllowUserPrefMerge**
-
Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-
Default value is true.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/GlobalPortsAllowUserPrefMerge**
-
Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-
Default value is true.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalPolicyMerge**
-
Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-
Default value is true.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+Default value is true.
+
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalIpsecPolicyMerge**
-
Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-
Default value is true.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+Default value is true.
+
+Value type is bool. Supported operations are Add, Get and Replace.
**/DefaultOutboundAction**
-
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.
-
-
0x00000000 - allow
-
0x00000001 - block
-
-
Default value is 0 (allow).
-
Value type is integer. Supported operations are Add, Get and Replace.
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will allow all outbound traffic unless it's explicitly specified not to allow.
+
+- 0x00000000 - allow
+- 0x00000001 - block
+
+Default value is 0 (allow).
+Value type is integer. Supported operations are Add, Get and Replace.
Sample syncxml to provision the firewall settings to evaluate
@@ -261,163 +276,168 @@ Sample syncxml to provision the firewall settings to evaluate
```
+
**/DefaultInboundAction**
-
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.
-
-
0x00000000 - allow
-
0x00000001 - block
-
-
Default value is 1 (block).
-
Value type is integer. Supported operations are Add, Get and Replace.
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.
+
+- 0x00000000 - allow
+- 0x00000001 - block
+
+Default value is 1 (block).
+Value type is integer. Supported operations are Add, Get and Replace.
**/DisableStealthModeIpsecSecuredPacketExemption**
-
Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-
Default value is true.
-
Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**FirewallRules**
-
A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
**FirewallRules/_FirewallRuleName_**
-
Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
-
Supported operations are Add, Get, Replace, and Delete.
+Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App**
-
Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
-
-
PackageFamilyName
-
FilePath
-
FQBN
-
ServiceName
-
-
If not specified, the default is All.
-
Supported operation is Get.
+Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
+
+- PackageFamilyName
+- FilePath
+- FQBN
+- ServiceName
+
+If not specified, the default is All.
+Supported operation is Get.
**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
-
This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/FilePath**
-
This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/Fqbn**
-
Fully Qualified Binary Name
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Fully Qualified Binary Name
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/ServiceName**
-
This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Protocol**
-
0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-
If not specified, the default is All.
-
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+0-255 number representing the ip protocol (TCP = 6, UDP = 17)
+If not specified, the default is All.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalPortRanges**
-
Comma separated list of ranges. For example, 100-120,200,300-320.
-
If not specified, the default is All.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges. For example, 100-120,200,300-320.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/RemotePortRanges**
-
Comma separated list of ranges, For example, 100-120,200,300-320.
-
If not specified, the default is All.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges, For example, 100-120,200,300-320.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
-
Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
-
-
"*" indicates any local address. If present, the local address must be the only token included.
-
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
-
A valid IPv6 address.
-
An IPv4 address range in the format of "start address - end address" with no spaces included.
-
An IPv6 address range in the format of "start address - end address" with no spaces included.
-
-
If not specified, the default is All.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
+
+- "*" indicates any local address. If present, the local address must be the only token included.
+- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+- A valid IPv6 address.
+- An IPv4 address range in the format of "start address - end address" with no spaces included.
+- An IPv6 address range in the format of "start address - end address" with no spaces included.
+
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/RemoteAddressRanges**
-
List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
-
-
"*" indicates any remote address. If present, the address must be the only token included.
-
"Defaultgateway"
-
"DHCP"
-
"DNS"
-
"WINS"
-
"Intranet"
-
"RmtIntranet"
-
"Internet"
-
"Ply2Renders"
-
"LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive.
-
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
-
A valid IPv6 address.
-
An IPv4 address range in the format of "start address - end address" with no spaces included.
-
An IPv6 address range in the format of "start address - end address" with no spaces included.
-
-
If not specified, the default is All.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
+List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+
+- "*" indicates any remote address. If present, the address must be the only token included.
+- "Defaultgateway"
+- "DHCP"
+- "DNS"
+- "WINS"
+- "Intranet"
+- "RmtIntranet"
+- "Internet"
+- "Ply2Renders"
+- "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive.
+- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+- A valid IPv6 address.
+- An IPv4 address range in the format of "start address - end address" with no spaces included.
+- An IPv6 address range in the format of "start address - end address" with no spaces included.
+
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
**FirewallRules/_FirewallRuleName_/Description**
-
Specifies the description of the rule.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the description of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Enabled**
-
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
-
If not specified - a new rule is enabled by default.
-
Boolean value. Supported operations are Get and Replace.
+Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+If not specified - a new rule is enabled by default.
+Boolean value. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Profiles**
-
Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
-
If not specified, the default is All.
-
Value type is integer. Supported operations are Get and Replace.
+Specifies the profiles to which the rule belongs: Domain, Private, or Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types.
+If not specified, the default is All.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Action**
-
Specifies the action for the rule.
-
Supported operation is Get.
+Specifies the action for the rule.
+Supported operation is Get.
**FirewallRules/_FirewallRuleName_/Action/Type**
-
Specifies the action the rule enforces. Supported values:
-
-
0 - Block
-
1 - Allow
-
-
If not specified, the default is allow.
-
Value type is integer. Supported operations are Get and Replace.
+Specifies the action the rule enforces. Supported values:
+
+- 0 - Block
+- 1 - Allow
+
+If not specified, the default is allow.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Direction**
-
The rule is enabled based on the traffic direction as following. Supported values:
-
-
IN - the rule applies to inbound traffic.
-
OUT - the rule applies to outbound traffic.
-
If not specified, the default is Out.
-
-
Value type is string. Supported operations are Get and Replace.
+The rule is enabled based on the traffic direction as following. Supported values:
+
+- IN - the rule applies to inbound traffic.
+- OUT - the rule applies to outbound traffic.
+- If not specified, the default is Out.
+
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/InterfaceTypes**
-
Comma separated list of interface types. Valid values:
-
-
RemoteAccess
-
Wireless
-
Lan
-
-
If not specified, the default is All.
-
Value type is string. Supported operations are Get and Replace.
+Comma separated list of interface types. Valid values:
+
+- RemoteAccess
+- Wireless
+- Lan
+
+If not specified, the default is All.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/EdgeTraversal**
-
Indicates whether edge traversal is enabled or disabled for this rule.
-
The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
-
New rules have the EdgeTraversal property disabled by default.
-
Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+Indicates whether edge traversal is enabled or disabled for this rule.
+The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
+New rules have the EdgeTraversal property disabled by default.
+Value type is bool. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**
-
Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Status**
-
Provides information about the specific version of the rule in deployment for monitoring purposes.
-
Value type is string. Supported operation is Get.
+Provides information about the specific version of the rule in deployment for monitoring purposes.
+Value type is string. Supported operation is Get.
**FirewallRules/_FirewallRuleName_/Name**
-
Name of the rule.
-
Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Name of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 4933026bdc..4b0d882361 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -14,14 +14,25 @@ ms.date:
# Device HealthAttestation CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
The following list is a description of the functions performed by the Device HealthAttestation CSP:
-- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device
-- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
-- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
-- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
+- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device
+- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
+- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
+- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
## Windows 11 Device health attestation
@@ -63,6 +74,7 @@ Attestation flow can be broadly in three main steps:
For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol).
### Configuration Service Provider Nodes
+
Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service.
```console
@@ -249,7 +261,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo
```
> [!NOTE]
-> > MAA CSP nodes are available on arm64 but isn't currently supported.
+> MAA CSP nodes are available on arm64 but isn't currently supported.
### MAA CSP Integration Steps
@@ -574,12 +586,12 @@ Provides the current status of the device health request.
The supported operation is Get.
-The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.
+The following list shows some examples of supported values. For the complete list of status, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
-- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
-- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
-- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
-- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
+- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
+- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
+- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
+- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
**ForceRetrieve** (Optional)
@@ -623,14 +635,14 @@ Value type is integer. The supported operation is Get.
The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM):
-1. [Verify HTTPS access](#verify-access)
-2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service)
-3. [Instruct client to prepare DHA-data for verification](#prepare-health-data)
-4. [Take action based on the clients response](#take-action-client-response)
-5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation)
-6. [Post DHA-data to DHA-service](#forward-data-to-has)
-7. [Receive response from DHA-service](#receive-has-response)
-8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action)
+1. [Verify HTTPS access](#verify-access)
+2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service)
+3. [Instruct client to prepare DHA-data for verification](#prepare-health-data)
+4. [Take action based on the clients response](#take-action-client-response)
+5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation)
+6. [Post DHA-data to DHA-service](#forward-data-to-has)
+7. [Receive response from DHA-service](#receive-has-response)
+8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action)
Each step is described in detail in the following sections of this topic.
@@ -688,6 +700,7 @@ SSL-Session:
### Step 2: Assign an enterprise trusted DHA-Service
There are three types of DHA-Service:
+
- Device Health Attestation – Cloud (owned and operated by Microsoft)
- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
- Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud)
@@ -738,7 +751,6 @@ The following example shows a sample call that triggers collection and verificat
### Step 4: Take action based on the client's response
-
After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
@@ -762,11 +774,11 @@ Here's a sample alert that is issued by DHA_CSP:
```
+
- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
### Step 5: Instruct the client to forward health attestation data for verification
-
Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
Here's an example:
@@ -823,24 +835,24 @@ When the MDM-Server receives the above data, it must:
- Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on:
- - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3
- - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
-
+ - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: [https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3)
+ - DHA-OnPrem or DHA-EMC: [https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3)
### Step 7: Receive response from the DHA-service
When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
+
- Decrypts the encrypted data it receives.
-- Validates the data it has received
-- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format
+- Validates the data it has received.
+- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format.
### Step 8: Take appropriate policy action based on evaluation results
After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be:
-- Allow the device access.
-- Allow the device to access the resources, but flag the device for further investigation.
-- Prevent a device from accessing resources.
+- Allow the device access.
+- Allow the device to access the resources, but flag the device for further investigation.
+- Prevent a device from accessing resources.
The following list of data points is verified by the DHA-Service in DHA-Report version 3:
@@ -890,8 +902,8 @@ If AIKPresent = True (1), then allow access.
If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
+- Disallow all access.
+- Disallow access to HBI assets.
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
@@ -911,21 +923,21 @@ Data Execution Prevention (DEP) Policy defines a set of hardware and software te
DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
-- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
-- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
+- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
+- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
If DEPPolicy = 1 (On), then allow access.
If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BitLockerStatus** (at boot time)
-When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen.
@@ -935,10 +947,10 @@ If BitLockerStatus = 1 (On), then allow access.
If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BootManagerRevListVersion**
@@ -946,12 +958,12 @@ This attribute indicates the version of the Boot Manager that is running on the
If BootManagerRevListVersion = [CurrentVersion], then allow access.
-If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If `BootManagerRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI and MBI assets
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+- Disallow all access.
+- Disallow access to HBI and MBI assets.
+- Place the device in a watch list to monitor the device more closely for potential risks.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**CodeIntegrityRevListVersion**
@@ -959,12 +971,12 @@ This attribute indicates the version of the code that is performing integrity ch
If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
-If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI and MBI assets
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+- Disallow all access.
+- Disallow access to HBI and MBI assets.
+- Place the device in a watch list to monitor the device more closely for potential risks.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**SecureBootEnabled**
@@ -974,10 +986,10 @@ If SecureBootEnabled = 1 (True), then allow access.
If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BootDebuggingEnabled**
@@ -985,17 +997,17 @@ Boot debug-enabled points to a device that is used in development and testing. D
Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
-- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**
-- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**
+- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**.
+- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**.
If BootdebuggingEnabled = 0 (False), then allow access.
If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Place the device in a watch list to monitor the device more closely for potential risks.
+- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
**OSKernelDebuggingEnabled**
@@ -1005,10 +1017,10 @@ If OSKernelDebuggingEnabled = 0 (False), then allow access.
If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Place the device in a watch list to monitor the device more closely for potential risks.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**CodeIntegrityEnabled**
@@ -1022,10 +1034,10 @@ If CodeIntegrityEnabled = 1 (True), then allow access.
If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
-- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
+- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**TestSigningEnabled**
@@ -1033,17 +1045,17 @@ When test signing is enabled, the device doesn't enforce signature validation du
Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
-- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**
-- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**
+- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**.
+- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**.
If TestSigningEnabled = 0 (False), then allow access.
If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI and MBI assets
-- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
+- Disallow all access.
+- Disallow access to HBI and MBI assets.
+- Place the device in a watch list to monitor the device more closely for potential risks.
+- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
**SafeMode**
@@ -1053,9 +1065,9 @@ If SafeMode = 0 (False), then allow access.
If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**WinPE**
@@ -1067,7 +1079,7 @@ If WinPE = 1 (True), then limit access to remote resources that are required for
**ELAMDriverLoaded** (Windows Defender)
-To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
+To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.
@@ -1077,9 +1089,9 @@ If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True),
If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**Bcdedit.exe /set {current} vsmlaunchtype auto**
@@ -1087,9 +1099,9 @@ If ELAMDriverLoaded = 1 (True), then allow access.
If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
-- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
+- Disallow all access.
+- Disallow access to HBI assets.
+- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**VSMEnabled**
@@ -1102,8 +1114,8 @@ VSM can be enabled by using the following command in WMI or a PowerShell script:
If VSMEnabled = 1 (True), then allow access.
If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Disallow access to HBI assets
+- Disallow all access.
+- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue
**PCRHashAlgorithmID**
@@ -1118,7 +1130,7 @@ If reported BootAppSVN equals an accepted value, then allow access.
If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
-- Disallow all access
+- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**BootManagerSVN**
@@ -1129,7 +1141,7 @@ If reported BootManagerSVN equals an accepted value, then allow access.
If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
-- Disallow all access
+- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**TPMVersion**
@@ -1153,13 +1165,12 @@ The measurement that is captured in PCR[0] typically represents a consistent vie
Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison.
If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action.
-
If PCR[0] equals an accepted allowlist value, then allow access.
If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
-- Disallow all access
-- Direct the device to an enterprise honeypot, to further monitor the device's activities.
+- Disallow all access.
+- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**SBCPHash**
@@ -1169,7 +1180,7 @@ If SBCPHash isn't present, or is an accepted allow-listed value, then allow acce
If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies:
-- Disallow all access
+- Disallow all access.
- Place the device in a watch list to monitor the device more closely for potential risks.
**CIPolicy**
@@ -1180,7 +1191,7 @@ If CIPolicy isn't present, or is an accepted allow-listed value, then allow acce
If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies:
-- Disallow all access
+- Disallow all access.
- Place the device in a watch list to monitor the device more closely for potential risks.
**BootRevListInfo**
@@ -1191,7 +1202,7 @@ If reported BootRevListInfo version equals an accepted value, then allow access.
If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
-- Disallow all access
+- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**OSRevListInfo**
@@ -1202,7 +1213,7 @@ If reported OSRevListInfo version equals an accepted value, then allow access.
If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
-- Disallow all access
+- Disallow all access.
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**HealthStatusMismatchFlags**
diff --git a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
index 1e315bc4b1..d134a5fcb2 100644
Binary files a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png and b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png differ
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 35bed03a19..e17aa75f60 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -80,17 +80,17 @@ Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
-- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
+- [AppLocker CSP](applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [DevInfo CSP](devinfo-csp.md).
- [DMAcc CSP](dmacc-csp.md).
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
-- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
+- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has Windows Information Protection policies.
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
-- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
+- [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs.
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
@@ -116,13 +116,13 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
Windows doesn't support applying both MAM and MDM policies to the same devices. If configured by the admin, users can change their MAM enrollment to MDM.
> [!NOTE]
-> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
+> When users upgrade from MAM to MDM on Windows Home edition, they lose access to Windows Information Protection. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
-In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
+In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
-- Both MAM and MDM policies for the organization support WIP.
+- Both MAM and MDM policies for the organization support Windows Information Protection.
- EDP CSP Enterprise ID is the same for both MAM and MDM.
- EDP CSP RevokeOnMDMHandoff is set to false.
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 7fe9cd95eb..5bd11c744d 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -1,28 +1,28 @@
---
title: Mobile device management
-description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
+description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
-ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b
-ms.author: dansimp
-ms.topic: article
+ms.topic: overview
ms.prod: w10
ms.technology: windows
-author: dansimp
+author: aczechowski
+ms.author: aaroncz
ms.collection: highpri
+ms.date: 06/03/2022
---
# Mobile device management
-Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
+Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
-There are two parts to the Windows management component:
+There are two parts to the Windows management component:
-- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
-- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
+- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
+- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
-Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## MDM security baseline
@@ -37,7 +37,7 @@ The MDM security baseline includes policies that cover the following areas:
- Legacy technology policies that offer alternative solutions with modern technology
- And much more
-For more details about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
+For more information about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
@@ -48,37 +48,27 @@ For more details about the MDM policies defined in the MDM security baseline and
For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
-
-
-## Learn about migrating to MDM
-
-When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy setting in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf).
-
-
## Learn about device enrollment
-
-- [Mobile device enrollment](mobile-device-enrollment.md)
-- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
-- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
-- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
+- [Mobile device enrollment](mobile-device-enrollment.md)
+- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
+- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
+- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
## Learn about device management
-
-- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
-- [Enterprise app management](enterprise-app-management.md)
-- [Mobile device management (MDM) for device updates](device-update-management.md)
-- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
-- [OMA DM protocol support](oma-dm-protocol-support.md)
-- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
-- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
-- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
+- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
+- [Enterprise app management](enterprise-app-management.md)
+- [Mobile device management (MDM) for device updates](device-update-management.md)
+- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
+- [OMA DM protocol support](oma-dm-protocol-support.md)
+- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
+- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
+- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
## Learn about configuration service providers
-
-- [Configuration service provider reference](configuration-service-provider-reference.md)
-- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
-- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
-- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
+- [Configuration service provider reference](configuration-service-provider-reference.md)
+- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
+- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
+- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
deleted file mode 100644
index b50647fabd..0000000000
--- a/windows/client-management/mdm/messaging-csp.md
+++ /dev/null
@@ -1,113 +0,0 @@
----
-title: Messaging CSP
-description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device.
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/26/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Messaging CSP
-
-The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
-
-The following shows the Messaging configuration service provider in tree format.
-
-```console
-./User/Vendor/MSFT
-Messaging
-----AuditingLevel
-----Auditing
---------Messages
-----------Count
-----------RevisionId
-----------Data
-```
-
-**./User/Vendor/MSFT/Messaging**
-
-
Root node for the Messaging configuration service provider.
-
-**AuditingLevel**
-
Turns on the "Text" auditing feature.
-
The following list shows the supported values:
-
-
0 (Default) - Off
-
1 - On
-
-
Supported operations are Get and Replace.
-
-**Auditing**
-
Node for auditing.
-
Supported operation is Get.
-
-**Messages**
-
Node for messages.
-
Supported operation is Get.
-
-**Count**
-
The number of messages to return in the Data setting. The default is 100.
-
Supported operations are Get and Replace.
-
-**RevisionId**
-
Retrieves messages whose revision ID is greater than RevisionId.
-
Supported operations are Get and Replace.
-
-**Data**
-
The JSON string of text messages on the device.
-
Supported operations are Get and Replace.
-
-
-**SyncML example**
-
-```xml
-
-
-
- 2
-
-
-
- ./User/Vendor/MSFT/Messaging/Auditing/Messages/Count
-
-
-
- int
- text/plain
-
- 100
-
-
-
- 3
-
-
-
- ./User/Vendor/MSFT/Messaging/Auditing/Messages/RevisionId
-
-
-
- chr
- text/plain
-
- 0
-
-
-
- 4
-
-
-
- ./User/Vendor/MSFT/Messaging/Auditing/Messages/Data
-
-
-
-
-
-
-
-```
diff --git a/windows/client-management/mdm/messaging-ddf.md b/windows/client-management/mdm/messaging-ddf.md
deleted file mode 100644
index efdad0e72a..0000000000
--- a/windows/client-management/mdm/messaging-ddf.md
+++ /dev/null
@@ -1,182 +0,0 @@
----
-title: Messaging DDF file
-description: Utilize the OMA DM device description framework (DDF) for the Messaging configuration service provider.
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 12/05/2017
-ms.reviewer:
-manager: dansimp
----
-
-# Messaging DDF file
-
-This topic shows the OMA DM device description framework (DDF) for the Messaging configuration service provider. This CSP was added in Windows 10, version 1703.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-
-The XML below is the current version for this CSP.
-
-```xml
-
-]>
-
- 1.2
-
- Messaging
- ./User/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- AuditingLevel
-
-
-
-
-
- 0
- Turns on the 'Text' auditing feature. 0 = off, 1 = on
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Auditing
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Messages
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Count
-
-
-
-
-
- 100
- Number of messages to return in the 'Data' element
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RevisionId
-
-
-
-
-
- 0
- Retrieves messages whose revision id is greater than the 'RevisionId'
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Data
-
-
-
-
- JSON string of 'text' messages on the device
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
-
-```
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index aa2284255f..3a2861bbf1 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -13,6 +13,16 @@ manager: dansimp
# MultiSIM CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803.
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index c29289fd2b..540ea74cc1 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -14,6 +14,17 @@ ms.date: 06/26/2017
# NAP CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections.
> [!Note]
@@ -67,7 +78,7 @@ Root node.
***NAPX***
Required. Defines the name of the network access point.
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
+It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), however, no spaces may appear in the name (use %20 instead).
***NAPX*/NAPID**
Required. Specifies the identifier of the destination network.
@@ -97,7 +108,7 @@ The following table shows some commonly used ADDRTYPE values and the types of co
Optional node. Specifies the authentication information, including the protocol, user name, and password.
***NAPX*/AuthInfo/AuthType**
-Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, MD5.
+Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, and MD5.
***NAPX*/AuthInfo/AuthName**
Optional. Specifies the user name and domain to be used during authentication. This field is in the form *Domain*\\*UserName*.
@@ -111,7 +122,8 @@ Queries of this field will return a string composed of 16 asterisks (\*).
Node.
***NAPX*/Bearer/BearerType**
-Required. Specifies the network type of the destination network. This parameter's value can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
+
+Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, and Wi-Fi.
## Related articles
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 075e0f6619..0f71a1c998 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -14,7 +14,18 @@ ms.date: 06/26/2017
# NAPDEF CSP
-The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The NAPDEF configuration service provider is used to add, modify, or delete WAP Network Access Points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
> [!Note]
> You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
@@ -71,7 +82,7 @@ A query of this parameter returns asterisks (\*) in the results.
**AUTHTYPE**
Specifies the protocol used to authenticate the user.
-The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
+The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols.
> [!Note]
> **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change.
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index 743fe416fa..47b33480b1 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -13,11 +13,22 @@ manager: dansimp
# NetworkProxy CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
How the settings work:
-- If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it.
+- If auto-detect is enabled, the system tries to find the path to a Proxy Auto Config (PAC) script and download it.
- If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.
- If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.
- Otherwise, the system tries to reach the site directly.
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index cf15fbcacc..5f455a3e9c 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -13,6 +13,17 @@ manager: dansimp
# NetworkQoSPolicy CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703.
The following conditions are supported:
@@ -71,7 +82,7 @@ NetworkQoSPolicy
The supported operations are Add, Get, Delete, and Replace.
***Name*/AppPathNameMatchCondition**
-
Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
+
Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`.
The data type is char.
@@ -111,7 +122,7 @@ NetworkQoSPolicy
The supported operations are Add, Get, Delete, and Replace.
***Name*/DSCPAction**
-
The differentiated services code point (DSCP) value to apply to matching network traffic.
+
The Differentiated Services Code Point (DSCP) value to apply to matching network traffic.
Valid values are 0-63.
diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md
index 039ac5d742..b307fa75b3 100644
--- a/windows/client-management/mdm/nodecache-csp.md
+++ b/windows/client-management/mdm/nodecache-csp.md
@@ -14,6 +14,16 @@ ms.date: 06/26/2017
# NodeCache CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes.
@@ -72,7 +82,7 @@ NodeCache
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax.
***ProviderID***
-Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic.
+Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic.
Supported operations are Get, Add, and Delete.
@@ -383,10 +393,11 @@ It represents this example:
U09NRU5FV1ZBTFVF
```
-Id is the node Id that was added by the MDM server, and Uri is the path that the node is tracking.
-If a Uri isn't set, the node will always be reported as changed, as in Node Id 10.
-The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName didn't match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
+Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking.
+If a Uri is not set, the node will always be reported as changed, as in Node ID 10.
+
+The value inside of the node tag is the actual value returned by the Uri, which means that for Node ID 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
## Related topics
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 79204c2935..e3ee2537c2 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -13,6 +13,16 @@ manager: dansimp
# Office CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 21cc92b117..6714139d27 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -14,7 +14,19 @@ ms.date: 07/19/2019
# PassportForWork CSP
-The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to sign in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
+
> [!IMPORTANT]
> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index ff76751aef..736959df4e 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -13,6 +13,17 @@ manager: dansimp
# Personalization CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
This CSP was added in Windows 10, version 1703.
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 142d9058c1..61da8064e2 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 03/01/2022
+ms.date: 06/06/2022
---
# Policies in Policy CSP supported by HoloLens 2
@@ -50,11 +50,15 @@ ms.date: 03/01/2022
- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
+- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9
-- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 10
+- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11
- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9
+- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9
+- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9
+- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10
- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9
- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9
- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) 9
@@ -102,13 +106,13 @@ ms.date: 03/01/2022
- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
-- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) 10
-- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) 10
+- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) 11
+- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) 11
- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
-- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) 10
-- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) 10
-- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) 10
-- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) 10
+- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) 11
+- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) 11
+- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) 11
+- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) 11
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
@@ -116,10 +120,10 @@ ms.date: 03/01/2022
- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
-- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) 10
-- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) 10
+- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) 11
+- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) 11
- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess)
-- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) 10
+- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) 11
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8
@@ -133,8 +137,9 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
-- 10 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
+- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2)
+- 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1)
+- 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
## Related topics
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index f23dbf7f6b..e984f6f104 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -41,6 +41,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 2a640df633..e261b05c4e 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -31,6 +31,12 @@ manager: dansimp
+
+
+
+**FileExplorer/AllowOptionToShowNetwork**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy allows the user with an option to show the network folder when restricted.
+
+
+
+
+The following list shows the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Allow the user the option to show Network folder when restricted*
+- GP name: *AllowOptionToShowNetwork*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+
+**FileExplorer/AllowOptionToShowThisPC**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+This policy allows the user with an option to show this PC location when restricted.
+
+
+
+
+The following list shows the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Allow the user the option to show Network folder when restricted*
+- GP name: *AllowOptionToShowThisPC*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
@@ -48,6 +163,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -90,6 +206,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -109,6 +226,8 @@ ADMX Info:
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
+
+
ADMX Info:
- GP Friendly name: *Turn off heap termination on corruption*
@@ -120,5 +239,120 @@ ADMX Info:
+
+**FileExplorer/SetAllowedFolderLocations**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+
+This policy configures the folders that the user can enumerate and access in the File Explorer.
+
+
+
+
+The following list shows the supported values:
+
+- 0: All folders
+- 15:Desktop, Documents, Pictures, and Downloads
+- 31:Desktop, Documents, Pictures, Downloads, and Network
+- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads
+- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
+- GP name: *SetAllowedFolderLocations*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+
+**FileExplorer/SetAllowedStorageLocations**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+
+This policy configures the folders that the user can enumerate and access in the File Explorer.
+
+
+
+
+The following list shows the supported values:
+
+- 0: all storage locations
+- 1: Removable Drives
+- 2: Sync roots
+- 3: Removable Drives, Sync roots, local drive
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
+- GP name: *SetAllowedStorageLocations*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 8f26e60ff4..e6fde52f63 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Games
-
-
@@ -27,7 +25,6 @@ manager: dansimp
-
@@ -39,6 +36,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -56,7 +54,9 @@ manager: dansimp
-Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
+Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.
+
+Supported value type is integer.
@@ -72,3 +72,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index c2b205ad92..8602af165b 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Handwriting
-
-
@@ -27,7 +25,6 @@ manager: dansimp
-
@@ -39,6 +36,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -60,9 +58,9 @@ This policy allows an enterprise to configure the default mode for the handwriti
The handwriting panel has two modes - floats near the text box, or docked to the bottom of the screen. The default configuration is the one floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
-In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction.
+In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel, to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction.
-The docked mode is especially useful in Kiosk mode where you don't expect the end-user to drag the flying-in panel out of the way.
+The docked mode is especially useful in Kiosk mode, where you don't expect the end-user to drag the flying-in panel out of the way.
@@ -85,3 +83,7 @@ The following list shows the supported values:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md
index 9ce283864c..8b672ccbbf 100644
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - HumanPresence
-
-
@@ -33,7 +31,6 @@ manager: dansimp
-
@@ -45,6 +42,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
@@ -62,7 +60,7 @@ manager: dansimp
-This policy specifies whether the device can lock when a human presence sensor detects a human.
+This policy specifies, whether the device can lock when a human presence sensor detects a human.
@@ -79,7 +77,7 @@ The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
-- Defaults to 0.
+- Defaults to 0
@@ -94,6 +92,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
@@ -111,7 +110,7 @@ The following list shows the supported values:
-This policy specifies whether the device can lock when a human presence sensor detects a human.
+This policy specifies, whether the device can lock when a human presence sensor detects a human.
@@ -128,7 +127,7 @@ The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
-- Defaults to 0.
+- Defaults to 0
@@ -143,6 +142,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
@@ -160,7 +160,7 @@ The following list shows the supported values:
-This policy specifies at what distance the sensor wakes up when it sees a human in seconds.
+This policy specifies, at what distance the sensor wakes up when it sees a human in seconds.
@@ -172,7 +172,7 @@ ADMX Info:
-Integer value that specifies whether the device can lock when a human presence sensor detects a human.
+Integer value that specifies, whether the device can lock when a human presence sensor detects a human.
The following list shows the supported values:
@@ -188,3 +188,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index a4b2b54bee..1f621319a6 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -13,8 +13,6 @@ manager: dansimp
# Policy CSP - InternetExplorer
-
-
@@ -803,11 +801,11 @@ manager: dansimp
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -820,6 +818,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -840,9 +839,12 @@ manager: dansimp
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
-If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
+If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]).
-If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
+> [!NOTE]
+> This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
+
+If you disable or do not configure this policy setting, the user can configure their list of search providers, unless another policy setting restricts such configuration.
@@ -867,6 +869,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -885,7 +888,7 @@ ADMX Info:
-This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
+This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites, so that ActiveX controls can run properly.
If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
@@ -914,6 +917,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -938,11 +942,11 @@ This list can be used with the 'Deny all add-ons unless specifically allowed in
If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
-Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
+- Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
-Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
+- Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied, enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
-If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
+If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will determine, whether add-ons not in this list are assumed to be denied.
@@ -967,6 +971,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -988,7 +993,7 @@ This AutoComplete feature can remember and suggest User names and passwords on F
If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords".
-If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.
+If you disable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.
If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.
@@ -1015,6 +1020,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1033,7 +1039,7 @@ ADMX Info:
-This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.
+This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned, when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.
If you enable this policy setting, the certificate address mismatch warning always appears.
@@ -1062,6 +1068,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1113,6 +1120,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1162,6 +1170,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1180,7 +1189,7 @@ ADMX Info:
-This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services.
+This policy setting allows Internet Explorer to provide enhanced suggestions, as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services.
If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm.
@@ -1222,6 +1231,7 @@ Supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1240,7 +1250,7 @@ Supported values:
-This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
+This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode, using the Tools menu.
If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
@@ -1269,6 +1279,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1316,6 +1327,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1333,7 +1345,7 @@ ADMX Info:
-This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.
+This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below, when TLS 1.0 or greater fails.
We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack.
@@ -1364,6 +1376,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1411,6 +1424,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1429,7 +1443,7 @@ ADMX Info:
-This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
+This policy setting controls, how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
@@ -1460,6 +1474,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1478,7 +1493,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1486,9 +1501,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -1513,6 +1530,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1531,7 +1549,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone, consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1539,9 +1557,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -1566,6 +1586,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1584,7 +1605,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1592,9 +1613,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -1619,6 +1642,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1637,7 +1661,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1645,9 +1669,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -1672,6 +1698,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1690,7 +1717,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1698,9 +1725,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -1725,6 +1754,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1743,7 +1773,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1751,9 +1781,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -1778,6 +1810,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1796,7 +1829,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -1804,9 +1837,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -1831,6 +1866,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1878,6 +1914,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1936,6 +1973,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1956,13 +1994,19 @@ ADMX Info:
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
-Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Medium template), Intranet zone (Medium-Low template), Internet zone (Medium-high template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
+Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are:
+1. Intranet zone
+1. Trusted Sites zone
+1. Internet zone
+1. Restricted Sites zone
-If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
+Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Medium template), Intranet zone (Medium-Low template), Internet zone (Medium-high template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
-Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter `` as the valuename, other protocols are not affected. If you enter just `www.contoso.com,` then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for `www.contoso.com` and `www.contoso.com/mail` would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
+If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
-Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
+- Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter `` as the valuename, other protocols are not affected. If you enter just `www.contoso.com,` then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for `www.contoso.com` and `www.contoso.com/mail` would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
+
+- Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
@@ -2019,6 +2063,7 @@ Value and index pairs in the SyncML example:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2068,6 +2113,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2086,7 +2132,7 @@ ADMX Info:
-This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit.
+This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft, to suggest sites that the user might want to visit.
If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions.
@@ -2117,6 +2163,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2135,7 +2182,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2143,9 +2190,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -2170,6 +2219,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2188,7 +2238,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2196,9 +2246,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -2223,6 +2275,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2241,7 +2294,7 @@ ADMX Info:
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High.
If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
@@ -2249,9 +2302,11 @@ If you disable this template policy setting, no security level is configured.
If you do not configure this template policy setting, no security level is configured.
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+> [!NOTE]
+> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!NOTE]
+> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
@@ -2276,6 +2331,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2325,6 +2381,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2343,7 +2400,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.
+This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software, and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.
If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.
@@ -2373,6 +2430,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2396,21 +2454,21 @@ Enables you to configure up to three versions of Microsoft Edge to open a redire
If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur:
- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
- 1 = Microsoft Edge Stable
- 2 = Microsoft Edge Beta version 77 or later
- 3 = Microsoft Edge Dev version 77 or later
- 4 = Microsoft Edge Canary version 77 or later
+ - 1 = Microsoft Edge Stable
+ - 2 = Microsoft Edge Beta version 77 or later
+ - 3 = Microsoft Edge Dev version 77 or later
+ - 4 = Microsoft Edge Canary version 77 or later
- If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior.
If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur:
- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
- 0 = Microsoft Edge version 45 or earlier
- 1 = Microsoft Edge Stable
- 2 = Microsoft Edge Beta version 77 or later
- 3 = Microsoft Edge Dev version 77 or later
- 4 = Microsoft Edge Canary version 77 or later
+ - 0 = Microsoft Edge version 45 or earlier
+ - 1 = Microsoft Edge Stable
+ - 2 = Microsoft Edge Beta version 77 or later
+ - 3 = Microsoft Edge Dev version 77 or later
+ - 4 = Microsoft Edge Canary version 77 or later
- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior.
@@ -2642,6 +2700,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2662,7 +2721,7 @@ ADMX Info:
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.
-This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.
+This policy setting determines, whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain, but the MIME sniff indicates that the file is really an executable file, then Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.
If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files.
@@ -2693,6 +2752,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2713,7 +2773,7 @@ ADMX Info:
This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
> [!Caution]
-> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
+> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download, breaks the [out-of-date ActiveX control blocking feature](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML.
@@ -2751,6 +2811,7 @@ Supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2800,6 +2861,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2847,6 +2909,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2894,6 +2957,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2952,6 +3016,7 @@ Supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2970,7 +3035,10 @@ Supported values:
-This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history.
+This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, do the following:
+
+1. From the Menu bar, on the Tools menu, click Internet Options.
+1. Click the General tab, and then click Settings under Browsing history.
If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history.
@@ -2999,6 +3067,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3046,6 +3115,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3095,6 +3165,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3146,6 +3217,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3193,6 +3265,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3217,7 +3290,8 @@ If you enable this policy setting, the browser negotiates or does not negotiate
If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.
-Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
+> [!NOTE]
+> SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
@@ -3242,6 +3316,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3300,6 +3375,7 @@ Supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3318,7 +3394,7 @@ Supported values:
-This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
+This policy setting prevents Internet Explorer from running the First Run wizard, the first time a user starts the browser after installing Internet Explorer or Windows.
If you enable this policy setting, you must make one of the following choices:
- Skip the First Run wizard, and go directly to the user's home page.
@@ -3326,7 +3402,7 @@ If you enable this policy setting, you must make one of the following choices:
Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
-If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
+If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard, the first time the browser is started after installation.
@@ -3351,6 +3427,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3402,6 +3479,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3462,6 +3540,7 @@ Supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3506,6 +3585,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3578,6 +3658,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3625,6 +3706,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3676,6 +3758,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3694,13 +3777,14 @@ ADMX Info:
-This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
+This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility), when running in Enhanced Protected Mode on 64-bit versions of Windows.
-Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
+> [!IMPORTANT]
+> Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
-If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
+If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows.
-If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
+If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
@@ -3727,6 +3811,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3774,6 +3859,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3821,6 +3907,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3845,7 +3932,8 @@ If you enable this policy setting, you can specify which default home pages shou
If you disable or do not configure this policy setting, the user can add secondary home pages.
-Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages.
+> [!NOTE]
+> If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages.
@@ -3870,6 +3958,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3917,6 +4006,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3936,7 +4026,7 @@ ADMX Info:
Prevents Internet Explorer from checking whether a new version of the browser is available.
-If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.
+If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifies users if a new version is available.
If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.
@@ -3965,6 +4055,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4025,6 +4116,7 @@ Supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4076,6 +4168,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4101,7 +4194,8 @@ If you disable this policy or do not configure it, users can add Web sites to or
This policy prevents users from changing site management settings for security zones established by the administrator.
-Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
+> [!NOTE]
+> The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
Also, see the "Security zones: Use only machine settings" policy.
@@ -4128,6 +4222,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4153,7 +4248,8 @@ If you disable this policy or do not configure it, users can change the settings
This policy prevents users from changing security zone settings established by the administrator.
-Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
+> [!NOTE]
+> The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
Also, see the "Security zones: Use only machine settings" policy.
@@ -4180,6 +4276,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4229,6 +4326,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4251,9 +4349,9 @@ This policy setting allows you to manage a list of domains on which Internet Exp
If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
-1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
-2. "hostname". For example, if you want to include http://example, use "example"
-3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"
+1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com".
+2. "hostname". For example, if you want to include http://example, use "example".
+3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".
If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.
@@ -4282,6 +4380,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4310,8 +4409,8 @@ This policy setting lets admins enable extended Microsoft Edge Internet Explorer
The following list shows the supported values:
-- 0 (default) - Disabled.
-- 1 - Enabled.
+- 0 (default) - Disabled
+- 1 - Enabled
@@ -4334,6 +4433,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4352,11 +4452,11 @@ ADMX Info:
-This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
+This policy setting controls, whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
-If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).
+If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered in the Intranet Zone (so would typically be in the Internet Zone).
If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
@@ -4383,6 +4483,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4401,7 +4502,7 @@ ADMX Info:
-This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
+This policy setting controls, whether URLs representing UNCs are mapped into the local Intranet security zone.
If you enable this policy setting, all network paths are mapped into the Intranet Zone.
@@ -4432,6 +4533,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4450,7 +4552,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -4481,6 +4583,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4499,7 +4602,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -4530,6 +4633,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4548,7 +4652,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -4577,6 +4681,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4595,11 +4700,11 @@ ADMX Info:
-This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
+This policy setting allows you to manage, whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
If you enable this policy setting, a script can perform a clipboard operation.
-If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.
+If you select Prompt in the drop-down box, users are queried, whether to perform clipboard operations.
If you disable this policy setting, a script cannot perform a clipboard operation.
@@ -4628,6 +4733,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4646,7 +4752,7 @@ ADMX Info:
-This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
+This policy setting allows you to manage, whether users can drag files or copy and paste files from a source within the zone.
If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
@@ -4677,6 +4783,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4695,7 +4802,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -4726,6 +4833,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4744,11 +4852,11 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
@@ -4775,6 +4883,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4824,6 +4933,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4842,9 +4952,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -4873,6 +4983,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4891,7 +5002,7 @@ ADMX Info:
-This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
+This policy setting controls, whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
@@ -4920,6 +5031,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4938,7 +5050,7 @@ ADMX Info:
-This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
+This policy setting controls, whether or not the user is allowed to run the TDC ActiveX control on websites.
If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
@@ -4967,6 +5079,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5016,6 +5129,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5034,7 +5148,7 @@ ADMX Info:
-This policy setting determines whether a page can control embedded WebBrowser controls via script.
+This policy setting determines, whether a page can control embedded WebBrowser controls via script.
If you enable this policy setting, script access to the WebBrowser control is allowed.
@@ -5065,6 +5179,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5083,7 +5198,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -5114,6 +5229,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5132,7 +5248,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -5140,7 +5256,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -5165,6 +5282,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5183,7 +5301,7 @@ ADMX Info:
-This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
+This policy setting allows you to manage, whether script is allowed to update the status bar within the zone.
If you enable this policy setting, script is allowed to update the status bar.
@@ -5212,6 +5330,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5230,7 +5349,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -5261,6 +5380,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5279,7 +5399,7 @@ ADMX Info:
-This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
+This policy setting allows you to manage, whether VBScript can be run on pages from the specified zone in Internet Explorer.
If you selected Enable in the drop-down box, VBScript can run without user intervention.
@@ -5312,6 +5432,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5332,11 +5453,11 @@ ADMX Info:
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
-If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+If you don't configure this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
@@ -5361,6 +5482,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5379,13 +5501,13 @@ ADMX Info:
-This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
+This policy setting allows you to manage, whether users may download signed ActiveX controls from a page in the zone.
If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
If you disable the policy setting, signed controls cannot be downloaded.
-If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
+If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
@@ -5410,6 +5532,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5428,7 +5551,7 @@ ADMX Info:
-This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
+This policy setting allows you to manage, whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
@@ -5459,6 +5582,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5506,6 +5630,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5524,15 +5649,15 @@ ADMX Info:
-This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
+This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in different windows.
-If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting.
-If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when both the source and destination are in different windows. Users cannot change this setting.
-In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
-In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting.
@@ -5557,6 +5682,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5575,15 +5701,15 @@ ADMX Info:
-This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
+This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in the same window.
-If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting.
-If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
-In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
-In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
@@ -5608,6 +5734,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5657,6 +5784,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5675,7 +5803,7 @@ ADMX Info:
-This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
+This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities, by reducing the locations that Internet Explorer can write to in the registry and the file system.
If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.
@@ -5706,6 +5834,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5724,7 +5853,7 @@ ADMX Info:
-This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
+This policy setting controls whether or not local path information is sent, when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.
@@ -5755,6 +5884,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5805,7 +5935,8 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
-|Business|||
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5828,6 +5959,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5852,7 +5984,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -5883,6 +6015,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5901,9 +6034,9 @@ ADMX Info:
-This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
+This policy setting allows you to manage, whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
-If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
+If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone, without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
@@ -5932,6 +6065,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -5954,11 +6088,11 @@ This policy setting allows you to manage settings for logon options.
If you enable this policy setting, you can choose from the following logon options.
-Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+Anonymous logon to disable HTTP authentication, and use the guest account only for the Common Internet File System (CIFS) protocol.
Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
-Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+Automatic logon, only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.
@@ -5989,6 +6123,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6007,13 +6142,13 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
+If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains.
@@ -6038,6 +6173,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6056,9 +6192,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
+If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute signed managed components.
If you disable this policy setting, Internet Explorer will not execute signed managed components.
@@ -6087,6 +6223,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6105,7 +6242,7 @@ ADMX Info:
-This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
+This policy setting controls, whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.
@@ -6136,6 +6273,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6154,7 +6292,7 @@ ADMX Info:
-This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
+This policy setting allows you to manage, whether unwanted pop-up windows appear. Pop-up windows that are opened, when the end user clicks a link are not blocked.
If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
@@ -6185,6 +6323,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6203,13 +6342,13 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+If you do not configure this policy setting, users are queried to choose, whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -6234,6 +6373,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6252,7 +6392,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -6283,6 +6423,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6301,7 +6442,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -6330,6 +6471,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6348,7 +6490,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -6379,6 +6521,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6397,11 +6540,11 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
@@ -6428,6 +6571,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6446,9 +6590,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag, and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -6477,6 +6621,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6495,7 +6640,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -6526,6 +6671,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6544,7 +6690,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -6552,7 +6698,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -6577,6 +6724,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6595,7 +6743,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -6626,6 +6774,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6644,13 +6793,13 @@ ADMX Info:
-This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
-If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
@@ -6675,6 +6824,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6726,6 +6876,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6750,7 +6901,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -6781,6 +6932,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6799,13 +6951,13 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
+If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains.
@@ -6830,6 +6982,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6851,7 +7004,7 @@ ADMX Info:
This policy setting prevents intranet sites from being opened in any browser except Internet Explorer.
> [!NOTE]
-> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdg](#internetexplorer-policies)e policy is not enabled, then this policy has no effect.
+> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies) policy is not enabled, then this policy has no effect.
If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.
If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge.
@@ -6905,6 +7058,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6923,7 +7077,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -6954,6 +7108,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -6972,7 +7127,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -7003,6 +7158,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7021,7 +7177,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -7050,6 +7206,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7068,7 +7225,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -7099,6 +7256,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7117,13 +7275,13 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be in this zone, as set by Protection from Zone Elevation feature control.
@@ -7148,6 +7306,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7166,9 +7325,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -7197,6 +7356,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7215,7 +7375,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -7246,6 +7406,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7264,7 +7425,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -7272,7 +7433,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -7297,6 +7459,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7315,7 +7478,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -7346,6 +7509,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7364,13 +7528,13 @@ ADMX Info:
-This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
-If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
@@ -7395,6 +7559,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7446,6 +7611,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7470,7 +7636,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -7501,6 +7667,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7519,13 +7686,13 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
+If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains.
@@ -7550,6 +7717,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7568,7 +7736,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -7599,6 +7767,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7617,7 +7786,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -7648,6 +7817,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7666,7 +7836,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -7695,6 +7865,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7713,7 +7884,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -7744,6 +7915,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7762,13 +7934,13 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be in this zone, as set by Protection from Zone Elevation feature control.
@@ -7793,6 +7965,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7811,9 +7984,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether, .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -7842,6 +8015,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7860,7 +8034,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -7891,6 +8065,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7909,7 +8084,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -7917,7 +8092,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -7942,6 +8118,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -7960,7 +8137,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -7991,6 +8168,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8042,6 +8220,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8066,7 +8245,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -8097,6 +8276,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8115,13 +8295,13 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
+If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains.
@@ -8146,6 +8326,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8170,7 +8351,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -8201,6 +8382,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8219,13 +8401,13 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+If you do not configure this policy setting, users are queried to choose, whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -8250,6 +8432,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8268,7 +8451,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -8299,6 +8482,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8317,7 +8501,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -8346,6 +8530,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8364,7 +8549,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -8395,6 +8580,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8413,13 +8599,13 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
@@ -8444,6 +8630,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8462,9 +8649,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -8493,6 +8680,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8511,7 +8699,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -8542,6 +8730,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8560,7 +8749,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -8568,7 +8757,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -8593,6 +8783,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8611,7 +8802,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -8642,6 +8833,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8693,6 +8885,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8711,13 +8904,13 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
+If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains.
@@ -8742,6 +8935,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8760,7 +8954,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -8791,6 +8985,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8809,7 +9004,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -8840,6 +9035,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8858,7 +9054,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -8887,6 +9083,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8905,7 +9102,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -8936,6 +9133,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -8954,13 +9152,13 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
@@ -8985,6 +9183,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9003,9 +9202,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -9034,6 +9233,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9052,7 +9252,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -9083,6 +9283,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9101,7 +9302,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -9109,7 +9310,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -9134,6 +9336,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9152,7 +9355,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -9183,6 +9386,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9234,6 +9438,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9258,7 +9463,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -9289,6 +9494,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9307,13 +9513,13 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
+If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains.
@@ -9338,6 +9544,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9356,7 +9563,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -9387,6 +9594,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9405,7 +9613,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -9436,6 +9644,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9454,7 +9663,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -9483,6 +9692,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9501,7 +9711,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -9532,6 +9742,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9550,13 +9761,13 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
@@ -9581,6 +9792,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9599,9 +9811,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -9630,6 +9842,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9648,7 +9861,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -9679,6 +9892,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9697,7 +9911,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -9705,7 +9919,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -9730,6 +9945,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9748,7 +9964,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -9779,6 +9995,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9797,7 +10014,7 @@ ADMX Info:
-This policy setting allows you to manage ActiveX controls not marked as safe.
+This policy setting allows you to manage, ActiveX controls not marked as safe.
If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
@@ -9830,6 +10047,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9854,7 +10072,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -9885,6 +10103,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9903,9 +10122,9 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
+If you enable this policy setting, users can open additional windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
@@ -9934,6 +10153,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -9952,7 +10172,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -9983,6 +10203,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10001,7 +10222,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -10032,6 +10253,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10050,7 +10272,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -10079,6 +10301,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10097,7 +10320,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -10128,6 +10351,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10150,9 +10374,9 @@ This policy setting allows you to manage whether Web sites from less privileged
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
@@ -10177,6 +10401,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10195,9 +10420,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -10226,6 +10451,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10244,7 +10470,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -10275,6 +10501,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10293,7 +10520,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls whether, Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -10301,7 +10528,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -10326,6 +10554,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10344,7 +10573,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -10375,6 +10604,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10426,6 +10656,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10450,7 +10681,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -10481,6 +10712,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10499,13 +10731,13 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
+If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains.
@@ -10530,6 +10762,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10579,6 +10812,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10597,7 +10831,7 @@ ADMX Info:
-This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.
+This policy setting determines, whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.
If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
@@ -10628,6 +10862,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10646,7 +10881,7 @@ ADMX Info:
-This policy setting allows you to specify what is displayed when the user opens a new tab.
+This policy setting allows you to specify, what is displayed when the user opens a new tab.
If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed.
@@ -10689,6 +10924,7 @@ Supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10707,7 +10943,7 @@ Supported values:
-This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.
+This policy setting allows you to manage, whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.
If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
@@ -10738,6 +10974,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10785,6 +11022,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10832,6 +11070,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10850,7 +11089,7 @@ ADMX Info:
-Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.
+Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation, if there is no security context.
If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
@@ -10881,6 +11120,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10901,9 +11141,9 @@ ADMX Info:
This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.
-If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.
+If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears, when Internet Explorer blocks an outdated ActiveX control.
-If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.
+If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears, when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
@@ -10930,6 +11170,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -10979,6 +11220,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11028,6 +11270,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11046,7 +11289,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -11077,6 +11320,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11095,7 +11339,7 @@ ADMX Info:
-This policy setting allows you to manage whether script code on pages in the zone is run.
+This policy setting allows you to manage, whether script code on pages in the zone is run.
If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.
@@ -11126,6 +11370,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11144,7 +11389,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -11175,6 +11420,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11193,7 +11439,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -11222,6 +11468,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11271,6 +11518,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11289,7 +11537,7 @@ ADMX Info:
-This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
+This policy setting allows you to manage, whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
If you enable this policy setting, a script can perform a clipboard operation.
@@ -11322,6 +11570,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11340,7 +11589,7 @@ ADMX Info:
-This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
+This policy setting allows you to manage, whether users can drag files or copy and paste files from a source within the zone.
If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.
@@ -11371,6 +11620,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11389,7 +11639,7 @@ ADMX Info:
-This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
+This policy setting allows you to manage, whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
If you enable this policy setting, files can be downloaded from the zone.
@@ -11420,6 +11670,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11438,7 +11689,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -11469,6 +11720,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11487,13 +11739,13 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
@@ -11518,6 +11770,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11567,6 +11820,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11585,7 +11839,7 @@ ADMX Info:
-This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
+This policy setting allows you to manage, whether a user's browser can be redirected to another Web page, if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.
@@ -11616,6 +11870,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11634,9 +11889,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -11665,6 +11920,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11685,7 +11941,7 @@ ADMX Info:
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
-If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.
+If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control, to run from the current site or from all sites.
If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
@@ -11712,6 +11968,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11730,7 +11987,7 @@ ADMX Info:
-This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.
+This policy setting controls, whether or not the user is allowed to run the TDC ActiveX control on websites.
If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone.
@@ -11759,6 +12016,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11777,13 +12035,13 @@ ADMX Info:
-This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
+This policy setting allows you to manage restrictions on script-initiated pop-up windows, and windows that include the title and status bars.
If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature.
-If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows, and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone, as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
-If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
+If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows, and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone<> as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
@@ -11808,6 +12066,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11826,7 +12085,7 @@ ADMX Info:
-This policy setting determines whether a page can control embedded WebBrowser controls via script.
+This policy setting determines, whether a page can control embedded WebBrowser controls via script.
If you enable this policy setting, script access to the WebBrowser control is allowed.
@@ -11857,6 +12116,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11875,7 +12135,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -11906,6 +12166,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11924,7 +12185,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -11932,7 +12193,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -11957,6 +12219,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -11975,7 +12238,7 @@ ADMX Info:
-This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
+This policy setting allows you to manage, whether script is allowed to update the status bar within the zone.
If you enable this policy setting, script is allowed to update the status bar.
@@ -12004,6 +12267,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12022,7 +12286,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -12053,6 +12317,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12071,7 +12336,7 @@ ADMX Info:
-This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
+This policy setting allows you to manage, whether VBScript can be run on pages from the specified zone in Internet Explorer.
If you selected Enable in the drop-down box, VBScript can run without user intervention.
@@ -12104,6 +12369,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12122,13 +12388,13 @@ ADMX Info:
-This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
-If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+If you don't configure this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
@@ -12153,6 +12419,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12171,7 +12438,7 @@ ADMX Info:
-This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
+This policy setting allows you to manage, whether users may download signed ActiveX controls from a page in the zone.
If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
@@ -12202,6 +12469,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12220,7 +12488,7 @@ ADMX Info:
-This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
+This policy setting allows you to manage, whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.
@@ -12251,6 +12519,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12269,7 +12538,7 @@ ADMX Info:
-This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
+This policy controls, whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.
@@ -12298,6 +12567,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12316,15 +12586,15 @@ ADMX Info:
-This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
+This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in different windows.
-If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting.
-If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting.
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when both the source and destination are in different windows. Users cannot change this setting.
-In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.
-In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
+In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting.
@@ -12349,6 +12619,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12367,15 +12638,15 @@ ADMX Info:
-This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
+This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in the same window.
-If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting.
+If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting.
-If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
-In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
+In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.
-In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
+In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog.
@@ -12400,6 +12671,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12449,6 +12721,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12467,13 +12740,13 @@ ADMX Info:
-This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
+This policy setting controls, whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.
If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.
-If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.
+If you do not configure this policy setting, the user can choose whether path information is sent, when he or she is uploading a file via an HTML form. By default, path information is sent.
@@ -12498,6 +12771,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12549,6 +12823,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12573,7 +12848,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -12604,6 +12879,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12622,7 +12898,7 @@ ADMX Info:
-This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
+This policy setting allows you to manage, whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
@@ -12653,6 +12929,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12675,7 +12952,7 @@ This policy setting allows you to manage settings for logon options.
If you enable this policy setting, you can choose from the following logon options.
-Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+Anonymous logon to disable HTTP authentication, and use the guest account only for the Common Internet File System (CIFS) protocol.
Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
@@ -12710,6 +12987,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12728,9 +13006,9 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
+If you enable this policy setting, users can open additional windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
@@ -12759,6 +13037,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12777,7 +13056,7 @@ ADMX Info:
-This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.
+This policy setting allows you to manage, whether ActiveX controls and plug-ins can be run on pages from the specified zone.
If you enable this policy setting, controls and plug-ins can run without user intervention.
@@ -12810,6 +13089,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12828,9 +13108,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
+If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute signed managed components.
If you disable this policy setting, Internet Explorer will not execute signed managed components.
@@ -12859,6 +13139,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12877,7 +13158,7 @@ ADMX Info:
-This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.
+This policy setting allows you to manage, whether an ActiveX control marked safe for scripting can interact with a script.
If you enable this policy setting, script interaction can occur automatically without user intervention.
@@ -12910,6 +13191,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12928,7 +13210,7 @@ ADMX Info:
-This policy setting allows you to manage whether applets are exposed to scripts within the zone.
+This policy setting allows you to manage, whether applets are exposed to scripts within the zone.
If you enable this policy setting, scripts can access applets automatically without user intervention.
@@ -12961,6 +13243,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -12979,7 +13262,7 @@ ADMX Info:
-This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
+This policy setting controls, whether or not the "Open File - Security Warning" message appears, when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.
@@ -13010,6 +13293,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13059,6 +13343,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13077,7 +13362,7 @@ ADMX Info:
-This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
+This policy setting allows you to manage, whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.
@@ -13108,6 +13393,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13126,13 +13412,13 @@ ADMX Info:
-Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.
+Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts pop-up windows, and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.
-If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
+If you enable this policy setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes.
-If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows.
+If you disable this policy setting, scripts can continue to create pop-up windows and windows that obfuscate other windows.
-If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
+If you do not configure this policy setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes.
@@ -13157,6 +13443,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13177,7 +13464,10 @@ ADMX Info:
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
-If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
+If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers.
+
+> [!NOTE]
+> This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
@@ -13204,6 +13494,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13254,6 +13545,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13272,7 +13564,7 @@ ADMX Info:
-This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting and you must include at least one site in the Enterprise Mode Site List.
+This setting lets you decide, whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting, and you must include at least one site in the Enterprise Mode Site List.
If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge.
@@ -13324,6 +13616,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13371,6 +13664,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13389,7 +13683,7 @@ ADMX Info:
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
@@ -13420,6 +13714,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13438,7 +13733,7 @@ ADMX Info:
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+This policy setting manages, whether users will be automatically prompted for ActiveX control installations.
If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
@@ -13469,6 +13764,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13487,7 +13783,7 @@ ADMX Info:
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
If you enable this setting, users will receive a file download dialog for automatic download attempts.
@@ -13516,6 +13812,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13534,7 +13831,7 @@ ADMX Info:
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+This policy setting allows you to manage, whether pages of the zone may download HTML fonts.
If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
@@ -13565,6 +13862,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13583,11 +13881,11 @@ ADMX Info:
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control.
If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
@@ -13614,6 +13912,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13632,9 +13931,9 @@ ADMX Info:
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components.
If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
@@ -13663,6 +13962,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13681,7 +13981,7 @@ ADMX Info:
-This policy setting allows you to manage whether the user can run scriptlets.
+This policy setting allows you to manage, whether the user can run scriptlets.
If you enable this policy setting, the user can run scriptlets.
@@ -13712,6 +14012,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13730,7 +14031,7 @@ ADMX Info:
-This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content.
+This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content.
If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content.
@@ -13738,7 +14039,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p
If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content.
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!NOTE]
+> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content.
@@ -13763,6 +14065,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13781,7 +14084,7 @@ ADMX Info:
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured.
If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
@@ -13812,6 +14115,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13830,13 +14134,13 @@ ADMX Info:
-This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
+This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
-If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
+If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control.
-If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
+If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.
@@ -13861,6 +14165,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13912,6 +14217,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13936,7 +14242,7 @@ If you enable this policy setting, you can choose options from the drop-down box
Low Safety enables applets to perform all operations.
-Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
+Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
@@ -13967,6 +14273,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -13985,13 +14292,13 @@ ADMX Info:
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains.
-If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains.
+If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains.
@@ -14007,3 +14314,7 @@ ADMX Info:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index f8ed8cecde..21732fed2a 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - Kerberos
-
@@ -54,7 +53,6 @@ manager: dansimp
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
@@ -66,6 +64,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -112,6 +111,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -138,8 +138,8 @@ This policy allows retrieving the cloud Kerberos ticket during the sign in.
Valid values:
-0 (default) - Disabled.
-1 - Enabled.
+0 (default) - Disabled
+1 - Enabled
@@ -164,6 +164,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -181,7 +182,7 @@ ADMX Info:
-This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
+This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring, using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains that support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or don't configure this policy setting, the client devices won't request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device won't be able to retrieve claims for clients using Kerberos protocol transition.
@@ -209,6 +210,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -263,6 +265,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -280,9 +283,10 @@ ADMX Info:
-This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
+This policy setting controls whether a computer requires that Kerberos message exchanges being armored when communicating with a domain controller.
-Warning: When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
+> [!WARNING]
+> When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
@@ -314,6 +318,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -335,7 +340,7 @@ This policy setting controls the Kerberos client's behavior in validating the KD
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer isn't joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
-If you disable or don't configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server.
+If you disable or don't configure this policy setting, the Kerberos client requires only the KDC certificate that contains the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server.
@@ -360,6 +365,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -386,7 +392,7 @@ If you enable this policy setting, the Kerberos client or server uses the config
If you disable or don't configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
> [!NOTE]
-> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes.
+> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8, the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes.
@@ -411,6 +417,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -428,9 +435,9 @@ ADMX Info:
-Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it can't resolve a UPN to a principal.
+Adds a list of domains that an Azure Active Directory joined device can attempt to contact, when it can't resolve a UPN to a principal.
-Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
+Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures, when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
@@ -447,3 +454,6 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index ec353dc9aa..e5a08afafe 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - KioskBrowser
-
-
These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).
@@ -60,6 +58,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -96,6 +95,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -132,6 +132,7 @@ List of blocked website URLs (with wildcard support). This policy is used to con
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -168,6 +169,7 @@ Configures the default URL kiosk browsers to navigate on launch and restart.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -201,6 +203,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -237,6 +240,7 @@ Enable/disable kiosk browser's home button.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -273,6 +277,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back).
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -290,7 +295,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back).
-Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+Amount of time in minutes, the session is idle until the kiosk browser restarts in a fresh state.
The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser.
@@ -301,4 +306,8 @@ The value is an int 1-1440 that specifies the number of minutes the session is i
-
\ No newline at end of file
+
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index abd1293e59..40e82cbc5d 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - LanmanWorkstation
-
-
@@ -27,7 +25,6 @@ manager: dansimp
-
@@ -39,6 +36,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -56,13 +54,13 @@ manager: dansimp
-This policy setting determines if the SMB client will allow insecure guest sign ins to an SMB server.
+This policy setting determines, if the SMB client will allow insecure guest sign in to an SMB server.
-If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign ins.
+If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign in.
-If you disable this policy setting, the SMB client will reject insecure guest sign ins.
+If you disable this policy setting, the SMB client will reject insecure guest sign in.
-Insecure guest sign ins are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign ins are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest sign ins by default. Since insecure guest sign ins are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign ins are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign ins and configuring file servers to require authenticated access.
+Insecure guest sign in are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign in are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication, and don't use insecure guest sign in by default. Since insecure guest sign in are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign in are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign in and configuring file servers to require authenticated access.
@@ -82,3 +80,6 @@ This setting supports a range of values between 0 and 1.
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 430b7af709..80e2f0bd5a 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Licensing
-
-
@@ -30,7 +28,6 @@ manager: dansimp
-
@@ -42,6 +39,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -90,6 +88,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -121,8 +120,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Disabled.
-- 1 – Enabled.
+- 0 (default) – Disabled
+- 1 – Enabled
@@ -131,3 +130,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index affd8a51ea..af2cf856e3 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -182,6 +182,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -201,13 +202,15 @@ manager: dansimp
This policy setting prevents users from adding new Microsoft accounts on this computer.
-If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer. Switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users won't be able to sign in to Windows. Selecting this option might make it impossible for an existing administrator on this computer to sign in and manage the system.
If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -236,6 +239,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -255,7 +259,9 @@ The following list shows the supported values:
This setting allows the administrator to enable the local Administrator account.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -283,6 +289,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -302,7 +309,9 @@ The following list shows the supported values:
This setting allows the administrator to enable the guest Administrator account.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -331,6 +340,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -352,16 +362,19 @@ Accounts: Limit local account use of blank passwords to console logon only
This security setting determines whether local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to sign in at the computer's keyboard.
-Default: Enabled.
+Default: Enabled
> [!WARNING]
> Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can sign in by using a user account that doesn't have a password. This is especially important for portable computers.
-If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services.
+>
+> If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services.
-This setting doesn't affect sign ins that use domain accounts.
-It's possible for applications that use remote interactive sign ins to bypass this setting.
+This setting doesn't affect sign in that use domain accounts.
+It's possible for applications that use remote interactive sign in to bypass this setting.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -372,8 +385,8 @@ GP Info:
Valid values:
-- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console
-- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard
+- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console.
+- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard.
@@ -389,6 +402,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -410,9 +424,11 @@ Accounts: Rename administrator account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
-Default: Administrator.
+Default: Administrator
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -434,6 +450,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -455,9 +472,11 @@ Accounts: Rename guest account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
-Default: Guest.
+Default: Guest
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -479,6 +498,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -496,10 +516,11 @@ GP Info:
-Devices: Allow undock without having to sign in.
+Devices: Allow undock without having to sign in
This security setting determines whether a portable computer can be undocked without having to sign in. If this policy is enabled, sign in isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must sign in and have the Remove computer from docking station privilege to undock the computer.
-Default: Enabled.
+
+Default: Enabled
> [!CAUTION]
> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
@@ -524,6 +545,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -545,8 +567,8 @@ Devices: Allowed to format and eject removable media
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
-- Administrators
-- Administrators and Interactive Users
+- Administrators.
+- Administrators and Interactive Users.
Default: This policy isn't defined, and only Administrators have this ability.
@@ -570,6 +592,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -591,7 +614,7 @@ Devices: Prevent users from installing printer drivers when connecting to shared
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
-Default on servers: Enabled.
+Default on servers: Enabled
Default on workstations: Disabled
>[!NOTE]
@@ -617,6 +640,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -662,6 +686,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -679,10 +704,11 @@ GP Info:
-Interactive Logon: Display user information when the session is locked
+Interactive Logon: Display user information when the session is locked
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -693,9 +719,9 @@ GP Info:
Valid values:
-- 1 - User display name, domain and user names
-- 2 - User display name only
-- 3 - Don't display user information
+- 1 - User display name, domain and user names.
+- 2 - User display name only.
+- 3 - Don't display user information.
@@ -711,6 +737,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -731,13 +758,16 @@ Valid values:
Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
+
If this policy is enabled, the username won't be shown.
If this policy is disabled, the username will be shown.
-Default: Disabled.
+Default: Disabled
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -748,8 +778,8 @@ GP Info:
Valid values:
-- 0 - disabled (username will be shown)
-- 1 - enabled (username won't be shown)
+- 0 - disabled (username will be shown).
+- 1 - enabled (username won't be shown).
@@ -765,6 +795,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -790,9 +821,11 @@ If this policy is enabled, the username won't be shown.
If this policy is disabled, the username will be shown.
-Default: Disabled.
+Default: Disabled
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -803,8 +836,8 @@ GP Info:
Valid values:
-- 0 - disabled (username will be shown)
-- 1 - enabled (username won't be shown)
+- 0 - disabled (username will be shown).
+- 1 - enabled (username won't be shown).
@@ -820,6 +853,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -845,10 +879,12 @@ If this policy is enabled on a computer, a user isn't required to press CTRL+ALT
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
-Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
-Default on stand-alone computers: Enabled.
+Default on domain-computers: Enabled: At least Windows 8 / Disabled: Windows 7 or earlier.
+Default on stand-alone computers: Enabled
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -859,8 +895,8 @@ GP Info:
Valid values:
-- 0 - disabled
-- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in)
+- 0 - disabled.
+- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in).
@@ -876,6 +912,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -893,13 +930,15 @@ Valid values:
-Interactive logon: Machine inactivity limit.
+Interactive logon: Machine inactivity limit
Windows notices inactivity of a sign-in session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
-Default: not enforced.
+Default: Not enforced
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -925,6 +964,7 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -946,11 +986,13 @@ Interactive logon: Message text for users attempting to sign in
This security setting specifies a text message that is displayed to users when they sign in.
-This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
+This text is often used for legal reasons. For example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
-Default: No message.
+Default: No message
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -972,6 +1014,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -993,9 +1036,11 @@ Interactive logon: Message title for users attempting to sign in
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to sign in.
-Default: No message.
+Default: No message
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -1017,6 +1062,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1040,16 +1086,16 @@ This security setting determines what happens when the smart card for a logged-o
The options are:
- No Action
- Lock Workstation
- Force Logoff
- Disconnect if a Remote Desktop Services session
+- No Action
+- Lock Workstation
+- Force Logoff
+- Disconnect if a Remote Desktop Services session
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
If you click Force Logoff in the Properties dialog box for this policy, the user is automatically signed off when the smart card is removed.
-If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation.
+If you click Disconnect on a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation.
> [!NOTE]
> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
@@ -1077,6 +1123,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1096,14 +1143,14 @@ GP Info:
Microsoft network client: Digitally sign communications (always)
-This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
-Default: Disabled.
+Default: Disabled
> [!Note]
-> All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
@@ -1131,6 +1178,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1152,11 +1200,11 @@ Microsoft network client: Digitally sign communications (if server agrees)
This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
-The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
-Default: Enabled.
+Default: Enabled
> [!Note]
> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
@@ -1189,6 +1237,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1212,7 +1261,7 @@ If this security setting is enabled, the Server Message Block (SMB) redirector i
Sending unencrypted passwords is a security risk.
-Default: Disabled.
+Default: Disabled
@@ -1234,6 +1283,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1294,6 +1344,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1315,9 +1366,9 @@ Microsoft network server: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB server component.
-The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
-If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client, unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
Default: Disabled for member servers. Enabled for domain controllers.
@@ -1352,6 +1403,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1373,7 +1425,7 @@ Microsoft network server: Digitally sign communications (if client agrees)
This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
-The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
@@ -1410,6 +1462,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1438,8 +1491,8 @@ This security option allows more restrictions to be placed on anonymous connecti
Enabled: Don't allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
Disabled: No extra restrictions. Rely on default permissions.
-Default on workstations: Enabled.
-Default on server: Enabled.
+Default on workstations: Enabled
+Default on server: Enabled
> [!IMPORTANT]
> This policy has no impact on domain controllers.
@@ -1464,6 +1517,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1487,7 +1541,7 @@ This security setting determines whether anonymous enumeration of SAM accounts a
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
-Default: Disabled.
+Default: Disabled
@@ -1509,6 +1563,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1530,9 +1585,9 @@ Network access: Restrict anonymous access to Named Pipes and Shares
When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
-Network access: Named pipes that can be accessed anonymously
-Network access: Shares that can be accessed anonymously
-Default: Enabled.
+- Network access: Named pipes that can be accessed anonymously.
+- Network access: Shares that can be accessed anonymously.
+- Default: Enabled.
@@ -1554,6 +1609,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1599,6 +1655,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1631,8 +1688,8 @@ GP Info:
Valid values:
-- 0 - Disabled
-- 1 - Enabled (Allow Local System to use computer identity for NTLM.)
+- 0 - Disabled.
+- 1 - Enabled (Allow Local System to use computer identity for NTLM).
@@ -1648,6 +1705,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1669,8 +1727,9 @@ Network security: Allow PKU2U authentication requests to this computer to use on
This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine.
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -1681,8 +1740,8 @@ GP Info:
Valid values:
-- 0 - disabled
-- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
+- 0 - disabled.
+- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities).
@@ -1698,6 +1757,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1719,9 +1779,8 @@ Network security: Don't store LAN Manager hash value on next password change
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked.
-
-Default on Windows Vista and above: Enabled
-Default on Windows XP: Disabled.
+- Default on Windows Vista and above: Enabled
+- Default on Windows XP: Disabled
@@ -1743,6 +1802,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1762,27 +1822,27 @@ GP Info:
Network security LAN Manager authentication level
-This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+This security setting determines which challenge/response authentication protocol is used for network logon. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
-Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+- Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
-Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+- Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
-Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+- Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
-Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+- Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
-Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+- Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
-Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+- Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
-Default:
+- Default:
-windows XP: send LM and NTLM responses
+- windows XP: send LM and NTLM responses.
-Windows Server 2003: Send NTLM response only
+- Windows Server 2003: Send NTLM response only.
-Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only.
@@ -1804,6 +1864,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1828,11 +1889,11 @@ This security setting allows a client device to require the negotiation of 128-b
- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) isn't negotiated.
-Default:
+- Default:
-Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements.
+- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements.
-Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
+- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
@@ -1854,6 +1915,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1875,14 +1937,15 @@ Network security: Minimum session security for NTLM SSP based (including secure
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
-Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
-Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated.
+- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated.
-Default:
+- Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated.
-Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements.
+- Default:
-Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements.
+
+- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
@@ -1904,6 +1967,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1923,13 +1987,13 @@ GP Info:
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
-This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
+This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication, if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.
If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
If you don't configure this policy setting, no exceptions will be applied.
-The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character.
+The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions, the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character.
@@ -1960,6 +2024,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2021,6 +2086,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2082,6 +2148,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2143,6 +2210,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2168,10 +2236,12 @@ When this policy is enabled, the Shut Down command is available on the Windows l
When this policy is disabled, the option to shut down the computer doesn't appear on the Windows logon screen. In this case, users must be able to sign in to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
-Default on workstations: Enabled.
-Default on servers: Disabled.
+- Default on workstations: Enabled.
+- Default on servers: Disabled.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2182,8 +2252,8 @@ GP Info:
Valid values:
-- 0 - disabled
-- 1 - enabled (allow system to be shut down without having to sign in)
+- 0 - disabled.
+- 1 - enabled (allow system to be shut down without having to sign in).
@@ -2199,6 +2269,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2224,7 +2295,7 @@ Virtual memory support uses a system pagefile to swap pages of memory to disk wh
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
-Default: Disabled.
+Default: Disabled
@@ -2246,6 +2317,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2273,7 +2345,9 @@ Disabled: (Default)
The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2284,8 +2358,8 @@ GP Info:
Valid values:
-- 0 - disabled
-- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
+- 0 - disabled.
+- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop).
@@ -2301,6 +2375,7 @@ Valid values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2340,7 +2415,9 @@ The options are:
- 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2362,6 +2439,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2380,9 +2458,12 @@ GP Info:
User Account Control: Behavior of the elevation prompt for standard users
+
This policy setting controls the behavior of the elevation prompt for standard users.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2394,9 +2475,9 @@ GP Info:
The following list shows the supported values:
-- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user, may choose this setting to reduce help desk calls.
- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
@@ -2412,6 +2493,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2435,9 +2517,9 @@ This policy setting controls the behavior of application installation detection
The options are:
-Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+- Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
@@ -2459,6 +2541,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2478,13 +2561,15 @@ GP Info:
User Account Control: Only elevate executable files that are signed and validated
-This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run, by adding certificates to the Trusted Publishers certificate store on local computers.
The options are:
- 0 - Disabled: (Default) Doesn't enforce PKI certification path validation before a given executable file is permitted to run.
- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2506,6 +2591,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2525,7 +2611,7 @@ GP Info:
User Account Control: Only elevate UIAccess applications that are installed in secure locations
-This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations:
+This policy setting controls, whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations:
- .\Program Files\, including subfolders
- .\Windows\system32\
@@ -2538,7 +2624,9 @@ The options are:
- 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2560,6 +2648,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2587,10 +2676,11 @@ The options are:
> [!NOTE]
> If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system has been reduced.
-- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately, to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2612,6 +2702,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2637,7 +2728,9 @@ The options are:
- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2659,6 +2752,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2706,6 +2800,7 @@ GP Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2727,7 +2822,9 @@ User Account Control: Virtualize file and registry write failures to per-user lo
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy supports the following:
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -2746,5 +2843,8 @@ The following list shows the supported values:
-
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index fb1249a953..acd43127cc 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -25,7 +25,6 @@ manager: dansimp
-
@@ -37,11 +36,11 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-
@@ -86,7 +85,7 @@ where:
> [!NOTE]
> When specifying member names of the user accounts, you must use following format – AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk".
For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy.
-for more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
+For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
@@ -94,7 +93,7 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura
> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
> - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct.
> - `` is not valid for the R (Restrict) action and will be ignored if present.
-> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
+> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
@@ -120,7 +119,7 @@ The following example updates the built-in administrators group with AAD account
Example 2: Replace / Restrict the built-in administrators group with an AAD user account.
> [!NOTE]
-> When using ‘R’ replace option to configure the built-in ‘Administrators’ group, it is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group.
+> When using ‘R’ replace option to configure the built-in ‘Administrators’ group. It is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group.
Example:
```xml
@@ -132,6 +131,7 @@ Example:
```
+
Example 3: Update action for adding and removing group members on a hybrid joined machine.
The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
@@ -147,7 +147,6 @@ The following example shows how you can update a local group (**Administrators**
```
-
@@ -157,7 +156,7 @@ The following example shows how you can update a local group (**Administrators**
> [!NOTE]
>
-> When AAD group SID’s are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
+> When AAD group SID’s are added to local groups, AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
>
> - Administrators
> - Users
@@ -296,5 +295,8 @@ To troubleshoot Name/SID lookup APIs:
```
-
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 90a9dc1bf5..97ea810006 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - LockDown
-
@@ -26,7 +25,6 @@ manager: dansimp
-
@@ -38,6 +36,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -57,7 +56,7 @@ manager: dansimp
Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
-The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
+The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied, and then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange, that will also be disabled.
@@ -80,3 +79,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index c2cb4d83fd..6ee7e3956d 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Maps
-
-
@@ -30,7 +28,6 @@ manager: dansimp
-
@@ -42,6 +39,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -85,6 +83,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -128,3 +127,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md
index eea0f98401..92d62d27ee 100644
--- a/windows/client-management/mdm/policy-csp-memorydump.md
+++ b/windows/client-management/mdm/policy-csp-memorydump.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - MemoryDump
-
-
@@ -30,7 +28,6 @@ manager: dansimp
-
@@ -42,6 +39,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -82,6 +80,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -115,3 +114,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index 7c01fe7a99..f002adc108 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Messaging
-
-
@@ -27,7 +25,6 @@ manager: dansimp
-
@@ -39,6 +36,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -80,3 +78,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 02d6f53ac3..69536145cf 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -68,12 +68,12 @@ Steps to use this policy correctly:
1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
1. The value can be between min / max allowed.
1. Enroll HoloLens devices and verify both configurations get applied to the device.
-1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
+1. Let Azure AD user 1 sign-in, when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they're a member of Azure AD group to which Kiosk configuration is targeted.
> [!NOTE]
-> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
+> Until step 4 is performed for a Azure AD, user will experience failure behavior mentioned similar to “disconnected” environments.
@@ -90,14 +90,14 @@ Steps to use this policy correctly:
|HoloLens 2|Yes|
-This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign in.
+This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign in.
When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must sign in to the device at least once to enable autologon.
The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser`
-String value
+Supported value is String.
- User with the same email address will have autologon enabled.
@@ -106,7 +106,7 @@ On a device where this policy is configured, the user specified in the policy wi
> [!NOTE]
>
> - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior.
-> - Auto-logon is only supported for MSA and AAD users.
+> - Auto-logon is only supported for Microsoft account and AAD users.
@@ -121,7 +121,7 @@ On a device where this policy is configured, the user specified in the policy wi
-This policy setting controls for how many days Azure AD group membership cache is allowed to be used for Assigned Access configurations targeting Azure AD groups for signed in user. Once this policy setting is set, only then cache is used, otherwise not. In order for this policy setting to take effect, user must sign out and sign in with Internet available at least once before the cache can be used for subsequent "disconnected" sessions.
+This policy setting controls, for how many days Azure AD group membership cache is allowed to be used for the Assigned Access configurations, targeting Azure AD groups for signed in user. Once this policy setting is set, only then cache is used, otherwise not. In order for this policy setting to take effect, user must sign out and sign in with Internet available at least once before the cache can be used for subsequent "disconnected" sessions.
@@ -129,7 +129,7 @@ This policy setting controls for how many days Azure AD group membership cache i
-- Integer value
+Supported value is Integer.
Supported values are 0-60. The default value is 0 (day) and maximum value is 60 (days).
@@ -169,7 +169,7 @@ This policy setting controls if pressing the brightness button changes the brigh
-- Boolean value
+Supported values is Boolean.
The following list shows the supported values:
@@ -204,7 +204,7 @@ The following list shows the supported values:
-This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it's turned off / on or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:).
+This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it's turned off / on, or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:).
@@ -212,7 +212,7 @@ This policy controls the behavior of moving platform feature on Hololens 2, that
-- Integer value
+Supported value is Integer.
- 0 (Default) - Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system.
- 1 Force off - Moving platform is disabled and can't be changed by user.
@@ -246,7 +246,7 @@ This policy controls the behavior of moving platform feature on Hololens 2, that
-This policy setting controls when and if diagnostic logs can be collected using specific button combination on HoloLens.
+This policy setting controls, when and if diagnostic logs can be collected using specific button combination on HoloLens.
@@ -254,13 +254,13 @@ This policy setting controls when and if diagnostic logs can be collected using
-- Integer value
+Supporting value is Integer.
The following list shows the supported values:
-- 0 - Disabled
-- 1 - Enabled for device owners
-- 2 - Enabled for all (Default)
+- 0 - Disabled.
+- 1 - Enabled for device owners.
+- 2 - Enabled for all (Default).
@@ -298,12 +298,12 @@ This policy configures behavior of HUP to determine, which algorithm to use for
-- Boolean value
+Supporting value is Boolean.
The following list shows the supported values:
-- 0 - Feature – Default feature based / SLAM-based tracker (Default)
-- 1 - Constellation – LR constellation based tracker
+- 0 - Feature – Default feature based / SLAM-based tracker (Default).
+- 1 - Constellation – LR constellation based tracker.
@@ -341,7 +341,7 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not
-- Boolean value
+Supporting value is Boolean.
The following list shows the supported values:
@@ -384,7 +384,7 @@ This policy setting controls if pressing the volume button changes the volume or
-- Boolean value
+Supporting value is Boolean.
The following list shows the supported values:
@@ -419,7 +419,7 @@ The following list shows the supported values:
-This policy controls whether a visitor user will be automatically logged in. Visitor users can only be created and logged in if an Assigned Access profile has been created targeting visitor users. A visitor user will only be automatically logged in if no other user has logged in on the device before.
+This policy controls whether a visitor user will be automatically logged in. Visitor users can only be created and logged in, if an Assigned Access profile has been created targeting visitor users. A visitor user will only be automatically logged in, if no other user has logged in on the device before.
@@ -427,7 +427,7 @@ This policy controls whether a visitor user will be automatically logged in. Vis
-- Boolean value
+Supported value is Boolean.
The following list shows the supported values:
@@ -439,3 +439,7 @@ The following list shows the supported values:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 812c96e877..c85466d3ee 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - MSSecurityGuide
-
@@ -43,11 +42,11 @@ manager: dansimp
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -60,6 +59,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -99,6 +99,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -139,6 +140,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -179,6 +181,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -219,6 +222,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -258,6 +262,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -287,6 +292,8 @@ ADMX Info:
-
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index 6f71a563e4..83db3103f2 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - MSSLegacy
-
@@ -36,11 +35,11 @@ manager: dansimp
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -53,6 +52,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -92,6 +92,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -132,6 +133,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -171,6 +173,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -201,6 +204,8 @@ ADMX Info:
-
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md
index 1bd998b15e..9f93048ae9 100644
--- a/windows/client-management/mdm/policy-csp-multitasking.md
+++ b/windows/client-management/mdm/policy-csp-multitasking.md
@@ -25,7 +25,6 @@ manager: dansimp
-
@@ -37,6 +36,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -66,11 +66,11 @@ This policy only applies to the Alt+Tab switcher. When the policy isn't enabled,
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -96,3 +96,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 9dbb409924..4b81789c59 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - NetworkIsolation
-
-
@@ -48,7 +46,6 @@ manager: dansimp
-
@@ -60,6 +57,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -102,6 +100,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -157,6 +156,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -174,7 +174,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-Integer value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+Integer value that tells the client to accept the configured list and not to use heuristics to attempt and find other subnets.
@@ -198,6 +198,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -240,6 +241,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -257,11 +259,10 @@ ADMX Info:
-This list is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. This list is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
+This is a list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. This list is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
-
Here are the steps to create canonical domain names:
@@ -283,6 +284,7 @@ Here are the steps to create canonical domain names:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -325,6 +327,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -366,6 +369,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -399,4 +403,8 @@ ADMX Info:
-
\ No newline at end of file
+
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index 1e7e152515..72328ad669 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - NetworkListManager
-
@@ -29,7 +28,6 @@ manager: dansimp
-
@@ -41,6 +39,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -84,6 +83,7 @@ When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must fo
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -107,3 +107,6 @@ This policy setting provides the string that is to be used to name a network. Th
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index cb70df917f..5d8350eed5 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - NewsAndInterests
-
-
@@ -26,8 +24,6 @@ manager: dansimp
NewsAndInterests/AllowNewsAndInterests
-
-
@@ -39,6 +35,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -65,7 +62,7 @@ This policy specifies whether to allow the entire widgets experience, including
The following are the supported values:
-- 1 - Default - Allowed
+- 1 - Default - Allowed.
- 0 - Not allowed.
@@ -82,5 +79,8 @@ ADMX Info:
+
-
\ No newline at end of file
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 20823757ce..3039a6845a 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Notifications
-
-
@@ -48,6 +46,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -71,7 +70,7 @@ If you enable this policy setting, applications and system features won't be abl
If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application.
-If you disable or don't configure this policy setting, the client computer will connect to WNS at user sign in and applications will be allowed to use periodic (polling) notifications.
+If you disable or don't configure this policy setting, the client computer will connect to WNS at user sign in, and applications will be allowed to use periodic (polling) notifications.
No reboots or service restarts are required for this policy setting to take effect.
@@ -93,9 +92,9 @@ This setting supports a range of values between 0 and 1.
Validation:
-1. Enable policy
-2. Reboot machine
-3. Ensure that you can't receive a notification from Facebook app while FB app isn't running
+1. Enable policy.
+2. Reboot machine.
+3. Ensure that you can't receive a notification from Facebook app while FB app isn't running.
@@ -111,6 +110,7 @@ Validation:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -130,7 +130,7 @@ Validation:
Boolean value that turns off notification mirroring.
-For each user signed in to the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device won't get mirrored to other devices of the same signed-in user. If you disable or don't configure this policy (set value to 0), the notifications received by this user on this device will be mirrored to other devices of the same signed-in user. This feature can be turned off by apps that don't want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
+For each user signed in to the device, if you enable this policy (set value to 1), the app and system notifications received by this user on this device won't get mirrored to other devices of the same signed-in user. If you disable or don't configure this policy (set value to 0), the notifications received by this user on this device will be mirrored to other devices of the same signed-in user. This feature can be turned off by apps that don't want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
No reboot or service restart is required for this policy to take effect.
@@ -163,6 +163,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -203,9 +204,9 @@ This setting supports a range of values between 0 and 1.
Validation:
-1. Enable policy
-2. Reboot machine
-3. Ensure that all tiles are default (no live tile content showing, like no weather forecast on the Weather tile)
+1. Enable policy.
+2. Reboot machine.
+3. Ensure that all tiles are default (no live tile content showing, like no weather forecast on the Weather tile).
@@ -265,7 +266,8 @@ This policy setting determines which Windows Notification Service endpoint will
If you disable or don't configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com.
-Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings.
+> [!NOTE]
+> Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings.
@@ -285,3 +287,7 @@ If the policy isn't specified, we'll default our connection to client.wns.window
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 30eb1c679f..ca3d7e34bd 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -93,11 +93,11 @@ manager: dansimp
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -176,6 +176,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -222,6 +223,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -268,6 +270,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -318,6 +321,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -341,7 +345,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat
If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
@@ -366,6 +370,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -422,6 +427,7 @@ Supported values: 0-100. The default is 70.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -477,6 +483,7 @@ Supported values: 0-100. The default is 70.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -500,7 +507,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat
If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
@@ -525,6 +532,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -548,11 +556,10 @@ If you enable this policy setting, you must provide a value, in seconds, indicat
If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
-
ADMX Info:
- GP Friendly name: *Specify the system hibernate timeout (plugged in)*
@@ -574,6 +581,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -620,6 +628,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -666,6 +675,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -727,6 +737,7 @@ The following are the supported lid close switch actions (on battery):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -788,6 +799,7 @@ The following are the supported lid close switch actions (plugged in):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -849,6 +861,7 @@ The following are the supported Power button actions (on battery):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -910,6 +923,7 @@ The following are the supported Power button actions (plugged in):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -971,6 +985,7 @@ The following are the supported Sleep button actions (on battery):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1032,6 +1047,7 @@ The following are the supported Sleep button actions (plugged in):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1080,6 +1096,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1103,7 +1120,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat
If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
@@ -1128,6 +1145,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1163,8 +1181,8 @@ ADMX Info:
The following are the supported values for Hybrid sleep (on battery):
-- 0 - no hibernation file for sleep (default)
-- 1 - hybrid sleep
+- 0 - no hibernation file for sleep (default).
+- 1 - hybrid sleep.
@@ -1186,6 +1204,7 @@ The following are the supported values for Hybrid sleep (on battery):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1221,8 +1240,8 @@ ADMX Info:
The following are the supported values for Hybrid sleep (plugged in):
-- 0 - no hibernation file for sleep (default)
-- 1 - hybrid sleep
+- 0 - no hibernation file for sleep (default).
+- 1 - hybrid sleep.
@@ -1244,6 +1263,7 @@ The following are the supported values for Hybrid sleep (plugged in):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1302,6 +1322,7 @@ Default value for unattended sleep timeout (on battery):
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1353,3 +1374,6 @@ Default value for unattended sleep timeout (plugged in):
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 48b7f7722b..3fe4de393e 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - Printers
-
@@ -46,11 +45,11 @@ manager: dansimp
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -105,7 +104,8 @@ manager: dansimp
This policy implements the print portion of the Device Control requirements.
-These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
+These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network.
+
This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled.
The format of this setting is `/[,/]`
@@ -176,7 +176,8 @@ ADMX Info:
This policy implements the print portion of the Device Control requirements.
-These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
+These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network.
+
This policy will contain the comma separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled.
The format of this setting is `/[,/]`
@@ -244,7 +245,8 @@ ADMX Info:
This policy implements the print portion of the Device Control requirements.
-These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
+These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network.
+
This policy will control whether the print spooler will attempt to restrict printing as part of Device Control.
The default value of the policy will be Unconfigured.
@@ -253,7 +255,6 @@ If the policy value is either Unconfigured or Disabled, the print spooler won't
If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list.
-
@@ -320,7 +321,8 @@ ADMX Info:
This policy implements the print portion of the Device Control requirements.
-These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
+These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network.
+
This policy will control whether the print spooler will attempt to restrict printing as part of Device Control.
The default value of the policy will be Unconfigured.
@@ -329,7 +331,6 @@ If the policy value is either Unconfigured or Disabled, the print spooler won't
If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list.
-
@@ -353,6 +354,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -382,9 +384,9 @@ If you don't configure this policy setting:
- Windows Vista client computers can point and print to any server.
-- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
+- Windows Vista computers will show a warning and an elevated command prompt, when users create a printer connection to any server using Point and Print.
-- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
+- Windows Vista computers will show a warning and an elevated command prompt, when an existing printer connection driver needs to be updated.
- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
@@ -392,9 +394,9 @@ If you disable this policy setting:
- Windows Vista client computers can create a printer connection to any server using Point and Print.
-- Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
+- Windows Vista computers won't show a warning or an elevated command prompt, when users create a printer connection to any server using Point and Print.
-- Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
+- Windows Vista computers won't show a warning or an elevated command prompt, when an existing printer connection driver needs to be updated.
- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
@@ -436,6 +438,7 @@ Data type: String Value:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -465,9 +468,9 @@ If you don't configure this policy setting:
- Windows Vista client computers can point and print to any server.
-- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
+- Windows Vista computers will show a warning and an elevated command prompt, when users create a printer connection to any server using Point and Print.
-- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
+- Windows Vista computers will show a warning and an elevated command prompt, when an existing printer connection driver needs to be updated.
- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
@@ -475,9 +478,9 @@ If you disable this policy setting:
- Windows Vista client computers can create a printer connection to any server using Point and Print.
-- Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
+- Windows Vista computers won't show a warning or an elevated command prompt, when users create a printer connection to any server using Point and Print.
-- Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
+- Windows Vista computers won't show a warning or an elevated command prompt, when an existing printer connection driver needs to be updated.
- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
@@ -505,6 +508,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -524,11 +528,12 @@ ADMX Info:
Determines whether the computer's shared printers can be published in Active Directory.
-If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
+If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' on the Sharing tab, to publish shared printers in Active Directory.
If you disable this setting, this computer's shared printers can't be published in Active Directory, and the "List in directory" option isn't available.
-Note: This setting takes priority over the setting "Automatically publish new printers in the Active Directory".
+> [!NOTE]
+> This setting takes priority over the setting "Automatically publish new printers in the Active Directory".
@@ -545,3 +550,6 @@ ADMX Info:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 0bcba72d88..6f984cad6c 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -15,7 +15,6 @@ manager: dansimp
# Policy CSP - Privacy
-
@@ -306,6 +305,7 @@ manager: dansimp
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -328,7 +328,6 @@ Allows or disallows the automatic acceptance of the pairing and privacy user con
> [!NOTE]
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
-
Most restricted value is 0.
@@ -352,6 +351,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -402,6 +402,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -419,7 +420,7 @@ The following list shows the supported values:
-Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users.
+Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation, and talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users.
Most restricted value is 0.
@@ -452,6 +453,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -503,6 +505,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -523,7 +526,8 @@ The following list shows the supported values:
Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.
-Value type is integer.
+Supported value type is integer.
+
- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade.
- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade.
@@ -560,6 +564,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -591,7 +596,7 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud).
+- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled (not published to the cloud).
- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph.
@@ -608,6 +613,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -627,7 +633,6 @@ The following list shows the supported values:
Specifies whether Windows apps can access account information.
-
Most restricted value is 2.
@@ -661,6 +666,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -703,6 +709,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -745,6 +752,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -787,6 +795,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|No|No|
|Education|No|No|
@@ -809,7 +818,7 @@ ADMX Info:
Specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background.
-Value type is integer.
+Supported value type is integer.
@@ -842,6 +851,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|No|No|
|Education|No|No|
@@ -864,7 +874,7 @@ The following list shows the supported values:
List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps.
-Value type is chr.
+Supported value type is chr.
@@ -892,6 +902,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|No|No|
|Education|No|No|
@@ -914,7 +925,7 @@ ADMX Info:
List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps.
-Value type is chr.
+Supported value type is chr.
@@ -942,6 +953,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|No|No|
|Enterprise|No|No|
|Education|No|No|
@@ -965,7 +977,7 @@ ADMX Info:
List of semi-colon delimited Package Family Names of Windows Store Apps.
The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps.
-Value type is chr.
+Supported value type is chr.
@@ -993,6 +1005,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1012,7 +1025,6 @@ ADMX Info:
Specifies whether Windows apps can access the calendar.
-
Most restricted value is 2.
@@ -1046,6 +1058,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1088,6 +1101,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1130,6 +1144,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1172,6 +1187,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1191,7 +1207,6 @@ ADMX Info:
Specifies whether Windows apps can access call history.
-
Most restricted value is 2.
@@ -1225,6 +1240,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1267,6 +1283,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1309,6 +1326,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1351,6 +1369,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1370,7 +1389,6 @@ ADMX Info:
Specifies whether Windows apps can access the camera.
-
Most restricted value is 2.
@@ -1404,6 +1422,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1446,6 +1465,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1488,6 +1508,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1530,6 +1551,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1549,7 +1571,6 @@ ADMX Info:
Specifies whether Windows apps can access contacts.
-
Most restricted value is 2.
@@ -1583,6 +1604,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1625,6 +1647,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1667,6 +1690,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1709,6 +1733,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1728,7 +1753,6 @@ ADMX Info:
Specifies whether Windows apps can access email.
-
Most restricted value is 2.
@@ -1762,6 +1786,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1804,6 +1829,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1846,6 +1872,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1888,6 +1915,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1921,6 +1949,7 @@ This policy setting specifies whether Windows apps can access the eye tracker.
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1954,6 +1983,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1987,6 +2017,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2020,6 +2051,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2039,7 +2071,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
Specifies whether Windows apps can access location.
-
Most restricted value is 2.
@@ -2073,6 +2104,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2115,6 +2147,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2157,6 +2190,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2199,6 +2233,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2218,7 +2253,6 @@ ADMX Info:
Specifies whether Windows apps can read or send messages (text or MMS).
-
Most restricted value is 2.
@@ -2252,6 +2286,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2294,6 +2329,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2336,6 +2372,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2378,6 +2415,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2397,7 +2435,6 @@ ADMX Info:
Specifies whether Windows apps can access the microphone.
-
Most restricted value is 2.
@@ -2431,6 +2468,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2473,6 +2511,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2515,6 +2554,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2557,6 +2597,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2576,7 +2617,6 @@ ADMX Info:
Specifies whether Windows apps can access motion data.
-
Most restricted value is 2.
@@ -2610,6 +2650,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2652,6 +2693,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2694,6 +2736,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2736,6 +2779,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2755,7 +2799,6 @@ ADMX Info:
Specifies whether Windows apps can access notifications.
-
Most restricted value is 2.
@@ -2789,6 +2832,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2831,6 +2875,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2873,6 +2918,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2915,6 +2961,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2934,7 +2981,6 @@ ADMX Info:
Specifies whether Windows apps can make phone calls.
-
Most restricted value is 2.
@@ -2968,6 +3014,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3010,6 +3057,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3052,6 +3100,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3094,6 +3143,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3113,7 +3163,6 @@ ADMX Info:
Specifies whether Windows apps have access to control radios.
-
Most restricted value is 2.
@@ -3147,6 +3196,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3189,6 +3239,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3231,6 +3282,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3273,6 +3325,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3315,6 +3368,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3357,6 +3411,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3399,6 +3454,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3441,6 +3497,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3460,7 +3517,6 @@ ADMX Info:
Specifies whether Windows apps can access trusted devices.
-
Most restricted value is 2.
@@ -3494,6 +3550,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3536,6 +3593,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3578,6 +3636,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3620,6 +3679,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3670,6 +3730,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3720,6 +3781,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3739,7 +3801,6 @@ The following list shows the supported values:
Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
-
Most restricted value is 2.
@@ -3773,6 +3834,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3815,6 +3877,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3857,6 +3920,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3899,6 +3963,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3918,8 +3983,8 @@ ADMX Info:
Specifies whether Windows apps can run in the background.
-
Most restricted value is 2.
+
> [!WARNING]
> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
@@ -3954,6 +4019,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3996,6 +4062,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4013,7 +4080,7 @@ ADMX Info:
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability, to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -4038,6 +4105,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4080,6 +4148,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4099,7 +4168,6 @@ ADMX Info:
Specifies whether Windows apps can sync with devices.
-
Most restricted value is 2.
@@ -4133,6 +4201,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4175,6 +4244,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4217,6 +4287,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4259,6 +4330,7 @@ ADMX Info:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4276,7 +4348,7 @@ ADMX Info:
-Allows It Admins to enable publishing of user activities to the activity feed.
+Allows IT Admins to enable publishing of user activities to the activity feed.
@@ -4307,6 +4379,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -4340,3 +4413,6 @@ ADMX Info:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 64c53af12c..0faafb160a 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -52,6 +52,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -71,9 +72,9 @@ manager: dansimp
This policy setting lets you customize warning messages.
-The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before users share control of their computers.
+The "Display warning message before sharing control" policy setting allows you to specify a custom message, to display before users share control of their computers.
-The "Display warning message before connecting" policy setting allows you to specify a custom message to display before users allow a connection to their computers.
+The "Display warning message before connecting" policy setting allows you to specify a custom message, to display before users allow a connection to their computers.
If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
@@ -104,6 +105,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -152,6 +154,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -181,7 +184,7 @@ If you enable this policy setting, you have two ways to allow helpers to provide
The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
-The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting isn't available in Windows Vista since SMAPI is the only method supported.
+The "Select the method for sending email invitations" setting specifies which email standard to use, to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting isn't available in Windows Vista, since SMAPI is the only method supported.
If you enable this policy setting, you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
@@ -208,6 +211,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -246,23 +250,24 @@ If you enable this policy setting, you should also enable firewall exceptions to
Windows Vista and later
Enable the Remote Assistance exception for the domain profile. The exception must contain:
-Port 135:TCP
-%WINDIR%\System32\msra.exe
-%WINDIR%\System32\raserver.exe
+
+- Port 135:TCP
+- %WINDIR%\System32\msra.exe
+- %WINDIR%\System32\raserver.exe
Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
-Port 135:TCP
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
-%WINDIR%\System32\Sessmgr.exe
+- Port 135:TCP
+- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
+- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
+- %WINDIR%\System32\Sessmgr.exe
For computers running Windows Server 2003 with Service Pack 1 (SP1)
-Port 135:TCP
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
-Allow Remote Desktop Exception
+- Port 135:TCP
+- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
+- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
+- Allow Remote Desktop Exception
@@ -278,3 +283,7 @@ ADMX Info:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md
index 7d2559655b..077e297205 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktop.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktop.md
@@ -41,6 +41,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -59,7 +60,7 @@ manager: dansimp
-This policy allows administrators to enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the specified URL is used by the client to silently subscribe the logged on user and retrieve the remote resources assigned to them. To automatically subscribe to Azure Virtual Desktop in the Azure Public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`.
+This policy allows administrators to enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the specified URL is used by the client to subscribe the logged on user and retrieve the remote resources assigned to them. To automatically subscribe to Azure Virtual Desktop in the Azure Public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`.
@@ -76,6 +77,7 @@ This policy allows administrators to enable automatic subscription for the Micro
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -93,7 +95,7 @@ This policy allows administrators to enable automatic subscription for the Micro
-This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using FSLogix user profiles from Azure AD-joined VMs.
+This policy allows the user to load the DPAPI cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using FSLogix user profiles from Azure AD-joined VMs.
@@ -111,3 +113,7 @@ The following list shows the supported values:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 6519b2d40c..bc4a782639 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - RemoteDesktopServices
-
-
@@ -43,11 +41,11 @@ manager: dansimp
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -60,6 +58,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -85,7 +84,8 @@ If you disable this policy setting, users can't connect remotely to the target c
If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed.
-Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
+> [!NOTE]
+> You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
@@ -112,6 +112,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -129,7 +130,7 @@ ADMX Info:
-Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
+Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
@@ -141,9 +142,8 @@ If you enable this policy setting, all communications between clients and RD Ses
If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy.
-Important
-
-FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
+> [!IMPORTANT]
+> FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level, when communications between clients and RD Session Host servers requires the highest level of encryption.
@@ -168,6 +168,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -218,6 +219,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -264,6 +266,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -316,6 +319,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -343,7 +347,8 @@ If the status is set to Disabled, Remote Desktop Services always requests securi
If the status is set to Not Configured, unsecured communication is allowed.
-Note: The RPC interface is used for administering and configuring Remote Desktop Services.
+> [!NOTE]
+> The RPC interface is used for administering and configuring Remote Desktop Services.
@@ -360,3 +365,6 @@ ADMX Info:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index a0059027d9..82936149da 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - RemoteManagement
-
-
@@ -70,11 +68,11 @@ manager: dansimp
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -87,6 +85,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -133,6 +132,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -179,6 +179,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -225,6 +226,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -271,6 +273,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -330,6 +333,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -376,6 +380,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -422,6 +427,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -468,6 +474,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -514,6 +521,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -560,6 +568,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -579,7 +588,7 @@ ADMX Info:
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service won't allow RunAs credentials to be stored for any plug-ins.
-If you enable this policy setting, the WinRM service won't allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.
+If you enable this policy setting, the WinRM service won't allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer.
If you disable or don't configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely.
@@ -608,6 +617,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -660,6 +670,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -677,9 +688,9 @@ ADMX Info:
-This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity.
+This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine, if the destination host is a trusted entity.
-If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when HTTPS or Kerberos is used to authenticate the identity of the host.
+If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine, if the destination host is a trusted entity. The WinRM client uses this list when HTTPS or Kerberos is used to authenticate the identity of the host.
If you disable or don't configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.
@@ -706,6 +717,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -756,6 +768,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -798,3 +811,6 @@ ADMX Info:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index c2235cdbb4..29a499d619 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - RemoteProcedureCall
-
@@ -30,11 +29,11 @@ manager: dansimp
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -47,6 +46,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -64,15 +64,16 @@ manager: dansimp
-This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner.
+This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service, when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner.
If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
-If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
-If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
-Note: This policy won't be applied until the system is rebooted.
+> [!NOTE]
+> This policy won't be applied until the system is rebooted.
@@ -97,6 +98,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -114,13 +116,13 @@ ADMX Info:
-This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
+This policy setting controls, how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
-This policy setting impacts all RPC applications. In a domain environment, this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
+This policy setting impacts all RPC applications. In a domain environment, this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
-If you don't configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
+If you don't configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client, and the value of "None" used for Server SKUs that support this policy setting.
If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
@@ -128,7 +130,7 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
+- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
> [!NOTE]
> This policy setting won't be applied until the system is rebooted.
@@ -148,3 +150,6 @@ ADMX Info:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 25abffed2e..9596508d36 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - RemoteShell
-
@@ -45,11 +44,11 @@ manager: dansimp
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -62,6 +61,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -108,6 +108,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -127,7 +128,7 @@ ADMX Info:
This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system.
-The value can be any number from 1 to 100.
+The value can be any number from 1 to 100.
If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit.
@@ -156,6 +157,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -173,7 +175,7 @@ ADMX Info:
-This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is automatically deleted.
+This policy setting configures the maximum time in milliseconds, and remote shell will stay open without any user activity until it is automatically deleted.
Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values.
@@ -204,6 +206,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -252,6 +255,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -273,7 +277,7 @@ This policy setting configures the maximum number of processes a remote shell is
If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes.
-If you disable or do not configure this policy setting, the limit is five processes per shell.
+If you disable or do not configure this policy setting, the limit is five processes per shell.
@@ -298,6 +302,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -315,7 +320,7 @@ ADMX Info:
-This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system.
+This policy setting configures the maximum number of concurrent shells and any user can remotely open on the same system.
Any number from 0 to 0x7FFFFFFF can be set, where 0 means unlimited number of shells.
@@ -346,6 +351,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -380,3 +386,6 @@ ADMX Info:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 4c77b145dc..c72678c913 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -15,7 +15,7 @@ manager: dansimp
# Policy CSP - RestrictedGroups
> [!IMPORTANT]
-> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
+> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy, to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
@@ -41,6 +41,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -60,7 +61,7 @@ manager: dansimp
This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership.
-For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed.
+For example, you can create a Restricted Groups policy to allow only specified users. Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group, and all other members will be removed.
> [!CAUTION]
> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error:
@@ -69,7 +70,7 @@ For example, you can create a Restricted Groups policy to allow only specified u
> |----------|----------|----------|----------|
> | 0x55b (Hex) 1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
-Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution.
+Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group, and should be used with caution.
```xml
@@ -152,7 +153,7 @@ The following table describes how this policy setting behaves in different Windo
| ------------------ | --------------- |
|Windows 10, version 1803 | Added this policy setting. XML accepts group and member only by name. Supports configuring the administrators group using the group name. Expects member name to be in the account name format. |
| Windows 10, version 1809 Windows 10, version 1903 Windows 10, version 1909 | Supports configuring any local group. `` accepts only name. `` accepts a name or an SID. This is useful when you want to ensure a certain local group always has a well-known SID as member. |
-| Windows 10, version 2004 | Behaves as described in this topic. Accepts name or SID for group and members and translates as appropriate. |
+| Windows 10, version 2004 | Behaves as described in this topic. Accepts name or SID for group and members and translates as appropriate.|
@@ -160,3 +161,7 @@ The following table describes how this policy setting behaves in different Windo
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index b56f078278..587c5e393d 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -80,6 +80,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -97,7 +98,7 @@ manager: dansimp
-Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
+Allow Search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
@@ -129,6 +130,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -177,6 +179,7 @@ This value is a simple boolean value, default false, that can be set by MDM poli
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -231,6 +234,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -250,9 +254,9 @@ The following list shows the supported values:
Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
-When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
+When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes file path and date modified.
-When the policy is disabled, the WIP protected items aren't indexed and don't show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are many WIP-protected media files on the device.
+When the policy is disabled, the WIP protected items aren't indexed and don't show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps, if there are many WIP-protected media files on the device.
Most restricted value is 0.
@@ -285,6 +289,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -335,6 +340,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -357,7 +363,6 @@ This policy controls whether search highlights are shown in the search box or in
- If you enable this policy setting, then this setting turns on search highlights in the search box or in the search home.
- If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home.
-
ADMX Info:
@@ -369,11 +374,13 @@ ADMX Info:
The following list shows the supported values in Windows 10:
-- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home.
+
+- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home.
- Disabled – Disabling this setting turns off search highlights in the taskbar search box and in search home.
The following list shows the supported values in Windows 11:
+
- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home.
- Disabled – Disabling this setting turns off search highlights in the start menu search box and in search home.
@@ -403,6 +410,7 @@ This policy has been deprecated.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -422,7 +430,6 @@ This policy has been deprecated.
Allows the use of diacritics.
-
Most restricted value is 0.
@@ -454,6 +461,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -471,7 +479,7 @@ The following list shows the supported values:
-Allow Windows indexer. Value type is integer.
+Allow Windows indexer. Supported value type is integer.
@@ -487,6 +495,7 @@ Allow Windows indexer. Value type is integer.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -506,7 +515,6 @@ Allow Windows indexer. Value type is integer.
Specifies whether to always use automatic language detection when indexing content and properties.
-
Most restricted value is 0.
@@ -538,6 +546,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -586,6 +595,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -638,6 +648,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -659,9 +670,9 @@ Don't search the web or display web results in Search, or show search highlights
This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home.
-- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
+- If you enable this policy setting, queries won't be performed on the web. Web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
-- If you disable this policy setting, queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
+- If you disable this policy setting, queries will be performed on the web. Web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
@@ -675,8 +686,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 - Not allowed. Queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
-- 1 (default) - Allowed. Queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
+- 0 - Not allowed. Queries won't be performed on the web. Web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home.
+- 1 (default) - Allowed. Queries will be performed on the web. Web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home.
@@ -692,6 +703,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -711,7 +723,7 @@ The following list shows the supported values:
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
-Enable this policy if computers in your environment have limited hard drive space.
+Enable this policy, if computers in your environment have limited hard drive space.
When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
@@ -744,6 +756,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -786,3 +799,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index dcf870fbf8..7399515109 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - Security
-
@@ -53,7 +52,6 @@ manager: dansimp
-
@@ -65,6 +63,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -127,6 +126,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -167,6 +167,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|||
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -185,7 +186,7 @@ The following list shows the supported values:
-Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+Admin access is required. The prompt will appear on first admin logon after a reboot, when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
@@ -200,7 +201,7 @@ ADMX Info:
The following list shows the supported values:
- 0 (default) – Won't force recovery from a non-ready TPM state.
-- 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
+- 1 – Will prompt to clear the TPM, if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
@@ -216,6 +217,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -242,9 +244,9 @@ Configures the use of passwords for Windows features.
The following list shows the supported values:
-- 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features)
-- 1- Allow passwords (Passwords continue to be allowed to be used for Windows features)
-- 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords")
+- 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features).
+- 1- Allow passwords (Passwords continue to be allowed to be used for Windows features).
+- 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords").
@@ -260,6 +262,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -303,6 +306,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -324,9 +328,10 @@ The following list shows the supported values:
This policy controls the Admin Authentication requirement in RecoveryEnvironment.
Supported values:
-- 0 - Default: Keep using default(current) behavior
-- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment
-- 2 - NoRequireAuthentication: Admin Authentication isn't required for components in RecoveryEnvironment
+
+- 0 - Default: Keep using default(current) behavior.
+- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment.
+- 2 - NoRequireAuthentication: Admin Authentication isn't required for components in RecoveryEnvironment.
@@ -374,6 +379,7 @@ If the MDM policy is set to "NoRequireAuthentication" (2)
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -393,7 +399,6 @@ If the MDM policy is set to "NoRequireAuthentication" (2)
Allows enterprise to turn on internal storage encryption.
-
Most restricted value is 1.
> [!IMPORTANT]
@@ -420,6 +425,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -460,6 +466,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -477,8 +484,7 @@ The following list shows the supported values:
-Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
-
+Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS), when a device boots or reboots.
Setting this policy to 1 (Required):
@@ -488,7 +494,6 @@ Setting this policy to 1 (Required):
> [!NOTE]
> We recommend that this policy is set to Required after MDM enrollment.
-
Most restricted value is 1.
@@ -504,3 +509,7 @@ The following list shows the supported values:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 118dd3a3a7..55e1034d36 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -12,8 +12,6 @@ ms.date: 09/27/2019
# Policy CSP - ServiceControlManager
-
-
@@ -25,7 +23,6 @@ ms.date: 09/27/2019
-
@@ -37,6 +34,7 @@ ms.date: 09/27/2019
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
+|Windows SE|No|No|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -67,11 +65,11 @@ If you disable or do not configure this policy setting, the stricter security se
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -96,3 +94,7 @@ Supported values:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 1b0e0f8bc4..1b3303cfb8 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -64,7 +64,6 @@ manager: dansimp
-
@@ -76,6 +75,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -120,6 +120,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -163,6 +164,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -249,7 +251,7 @@ This policy disables edit device name option on Settings.
-Describes what values are supported in by this policy and meaning of each value, default value.
+Describes what values are supported in/by this policy and meaning of each value, and default value.
@@ -265,6 +267,7 @@ Describes what values are supported in by this policy and meaning of each value,
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -306,6 +309,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -350,6 +354,7 @@ ADMX Info:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -391,6 +396,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -432,6 +438,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -473,6 +480,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -513,6 +521,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -554,6 +563,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -594,6 +604,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -611,7 +622,7 @@ The following list shows the supported values:
-Allows IT Admins to configure the default setting for showing more calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. Other supported calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
+Allows IT Admins to configure the default setting for showing more calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. Other supported calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
@@ -644,6 +655,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -664,21 +676,21 @@ The following list shows the supported values:
Allows IT Admins to either:
-- Prevent specific pages in the System Settings app from being visible or accessible
+- Prevent specific pages in the System Settings app from being visible or accessible.
OR
-- To do so for all pages except the pages you enter
+- To do so for all pages except the pages you enter.
The mode will be specified by the policy string beginning with either the string `showonly:` or `hide:`. Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix.
-For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
+For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The following example shows a policy that allows access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
`showonly:about;bluetooth`
-If the policy isn't specified, then the behavior is that no pages are affected. If the policy string is formatted incorrectly, then it's ignored (that is, treated as not set). It's ignored to prevent the machine from becoming unserviceable if data corruption occurs. If a page is already hidden for another reason, then it stays hidden, even if the page is in a `showonly:` list.
+If the policy isn't specified, then the behavior is that no pages are affected. If the policy string is formatted incorrectly, then it's ignored (that is, treated as not set). It's ignored to prevent the machine from becoming unserviceable, if data corruption occurs. If a page is already hidden for another reason, then it stays hidden, even if the page is in a `showonly:` list.
The format of the PageVisibilityList value is as follows:
@@ -721,3 +733,6 @@ To validate on Desktop, use the following steps:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 5da64f872e..cb36588175 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -44,6 +44,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -95,6 +96,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -143,6 +145,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index fe81410adf..f46af42add 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - Speech
-
@@ -26,7 +25,6 @@ manager: dansimp
-
@@ -38,6 +36,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -79,3 +78,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index f760f05bc0..3eacbd485d 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - Start
-
@@ -119,18 +118,19 @@ manager: dansimp
-
**Start/AllowPinnedFolderDocuments**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -156,7 +156,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -167,11 +167,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderDownloads**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -197,7 +199,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -208,11 +210,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderFileExplorer**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -238,7 +242,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -249,11 +253,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderHomeGroup**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -279,7 +285,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -290,11 +296,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderMusic**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -320,7 +328,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -331,11 +339,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderNetwork**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -361,7 +371,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -372,11 +382,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderPersonalFolder**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -402,7 +414,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -413,11 +425,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderPictures**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -443,7 +457,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -454,11 +468,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderSettings**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -484,7 +500,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -495,11 +511,13 @@ The following list shows the supported values:
**Start/AllowPinnedFolderVideos**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -525,7 +543,7 @@ The following list shows the supported values:
- 0 – The shortcut is hidden and disables the setting in the Settings app.
- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - there's no enforced configuration and the setting can be changed by the user.
+- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user.
@@ -597,11 +615,13 @@ This string policy will take a JSON file (expected name LayoutModification.json)
**Start/DisableContextMenus**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -652,11 +672,13 @@ The following list shows the supported values:
**Start/ForceStartSize**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -678,7 +700,6 @@ The following list shows the supported values:
Forces the start screen size.
-
If there's policy configuration conflict, the latest configuration request is applied to the device.
@@ -698,11 +719,13 @@ The following list shows the supported values:
**Start/HideAppList**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -729,10 +752,9 @@ Allows IT Admins to configure Start by collapsing or removing the all apps list.
> [!Note]
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
-
To validate on Desktop, do the following steps:
-- 1 - Enable policy and restart explorer.exe
+- 1 - Enable policy and restart explorer.exe.
- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle isn't grayed out.
- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
- 2c - If set to '3': Verify that there's no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
@@ -755,11 +777,13 @@ The following list shows the supported values:
**Start/HideChangeAccountSettings**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -802,11 +826,13 @@ To validate on Desktop, do the following steps:
**Start/HideFrequentlyUsedApps**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -844,8 +870,8 @@ To validate on Desktop, do the following steps:
1. Enable "Show most used apps" in the Settings app.
2. Use some apps to get them into the most used group in Start.
3. Enable policy.
-4. Restart explorer.exe
-5. Check that "Show most used apps" Settings toggle is grayed out.
+4. Restart explorer.exe.
+5. Check that "Show most used apps" Settings toggle is grayed out.
6. Check that most used apps don't appear in Start.
@@ -857,11 +883,13 @@ To validate on Desktop, do the following steps:
**Start/HideHibernate**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -881,7 +909,6 @@ To validate on Desktop, do the following steps:
Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
-
> [!NOTE]
> This policy can only be verified on laptops as "Hibernate" doesn't appear on regular PC's.
@@ -908,11 +935,13 @@ To validate on Laptop, do the following steps:
**Start/HideLock**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -955,11 +984,13 @@ To validate on Desktop, do the following steps:
**Start/HidePeopleBar**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -979,7 +1010,7 @@ To validate on Desktop, do the following steps:
Enabling this policy removes the people icon from the taskbar and the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
-Value type is integer.
+Supported value type is integer.
@@ -1005,11 +1036,13 @@ The following list shows the supported values:
**Start/HidePowerButton**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1055,11 +1088,13 @@ To validate on Desktop, do the following steps:
**Start/HideRecentJumplists**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1098,7 +1133,7 @@ To validate on Desktop, do the following steps:
3. Right click the pinned photos app and verify that a jump list of recently opened items pops up.
4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists.
5. Enable policy.
-6. Restart explorer.exe
+6. Restart explorer.exe.
7. Check that Settings toggle is grayed out.
8. Repeat Step 2.
9. Right Click pinned photos app and verify that there's no jump list of recent items.
@@ -1112,11 +1147,13 @@ To validate on Desktop, do the following steps:
**Start/HideRecentlyAddedApps**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1162,7 +1199,7 @@ To validate on Desktop, do the following steps:
1. Enable "Show recently added apps" in the Settings app.
2. Check if there are recently added apps in Start (if not, install some).
3. Enable policy.
-4. Restart explorer.exe
+4. Restart explorer.exe.
5. Check that "Show recently added apps" Settings toggle is grayed out.
6. Check that recently added apps don't appear in Start.
@@ -1175,11 +1212,13 @@ To validate on Desktop, do the following steps:
**Start/HideRestart**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1222,11 +1261,13 @@ To validate on Desktop, do the following steps:
**Start/HideShutDown**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1269,11 +1310,13 @@ To validate on Desktop, do the following steps:
**Start/HideSignOut**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1316,11 +1359,13 @@ To validate on Desktop, do the following steps:
**Start/HideSleep**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1363,11 +1408,13 @@ To validate on Desktop, do the following steps:
**Start/HideSwitchAccount**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1410,11 +1457,13 @@ To validate on Desktop, do the following steps:
**Start/HideUserTile**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1461,11 +1510,13 @@ To validate on Desktop, do the following steps:
**Start/ImportEdgeAssets**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1497,16 +1548,16 @@ Here's more SKU support information:
This policy imports Edge assets (for example, .png/.jpg files) for secondary tiles into its local app data path, which allows the StartLayout policy to pin Edge secondary tiles as weblink that ties to the image asset files.
> [!IMPORTANT]
-> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
+> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy, whenever there are Edge secondary tiles to be pinned from StartLayout policy.
-The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles).
+The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles).
To validate on Desktop, do the following steps:
1. Set policy with an XML for Edge assets.
-2. Set StartLayout policy to anything so that it would trigger the Edge assets import.
+2. Set StartLayout policy to anything so that would trigger the Edge assets import.
3. Sign out/in.
4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
@@ -1519,11 +1570,13 @@ To validate on Desktop, do the following steps:
**Start/NoPinningToTaskbar**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1541,7 +1594,7 @@ To validate on Desktop, do the following steps:
-Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
+Allows IT Admins to configure the taskbar by disabling, pinning, and unpinning apps on the taskbar.
@@ -1565,7 +1618,6 @@ To validate on Desktop, do the following steps:
-
**Start/ShowOrHideMostUsedApps**
@@ -1622,9 +1674,9 @@ To validate on Desktop, do the following steps:
The following list shows the supported values:
-- 1 - Force showing of Most Used Apps in Start Menu, user can't change in Settings
-- 0 - Force hiding of Most Used Apps in Start Menu, user can't change in Settings
-- Not set - User can use Settings to hide or show Most Used Apps in Start Menu
+- 1 - Force showing of Most Used Apps in Start Menu, user can't change in Settings.
+- 0 - Force hiding of Most Used Apps in Start Menu, user can't change in Settings.
+- Not set - User can use Settings to hide or show Most Used Apps in Start Menu.
On clean install, the user setting defaults to "hide".
@@ -1638,11 +1690,13 @@ On clean install, the user setting defaults to "hide".
**Start/StartLayout**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|No|
+|Windows SE|No|No|
|Business|Yes|No|
|Enterprise|Yes|No|
|Education|Yes|No|
@@ -1672,7 +1726,7 @@ Here's more SKU support information:
|Windows 10, version 1607 and later |Enterprise, Education, Business |
|Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation |
-Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
+Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy.
For more information on how to customize the Start layout, see [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](/windows/configuration/configure-windows-10-taskbar).
@@ -1689,3 +1743,7 @@ ADMX Info:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 383f6aedfb..a9e43b4855 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - Storage
-
@@ -65,18 +64,19 @@ manager: dansimp
-
**Storage/AllowDiskHealthModelUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -96,7 +96,7 @@ manager: dansimp
Allows disk health model updates.
-Value type is integer.
+Supported value type is integer.
@@ -122,16 +122,19 @@ The following list shows the supported values:
**Storage/AllowStorageSenseGlobal**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|||
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-Note: Versions prior to version 1903 don't support group policy.
+> [!NOTE]
+> Versions prior to version 1903 don't support group policy.
@@ -146,7 +149,7 @@ Note: Versions prior to version 1903 don't support group policy.
-Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy.
+Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space, and it is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy.
If you enable this policy setting without setting a cadence, Storage Sense is turned on for the machine with the default cadence of "during low free disk space." Users can't disable Storage Sense, but they can adjust the cadence (unless you also configure the Storage/ConfigStorageSenseGlobalCadence group policy).
@@ -179,16 +182,19 @@ ADMX Info:
**Storage/AllowStorageSenseTemporaryFilesCleanup**
+Versions prior to version 1903 don't support group policy.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|||
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-Note: Versions prior to version 1903 don't support group policy.
+> [!NOTE]
+> Versions prior to version 1903 don't support group policy.
@@ -239,16 +245,19 @@ ADMX Info:
**Storage/ConfigStorageSenseCloudContentDehydrationThreshold**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|||
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-Note: Versions prior to version 1903 don't support group policy.
+> [!NOTE]
+> Versions prior to version 1903 don't support group policy.
@@ -299,16 +308,19 @@ ADMX Info:
**Storage/ConfigStorageSenseDownloadsCleanupThreshold**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|||
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-Note: Versions prior to version 1903 don't support group policy.
+> [!NOTE]
+> Versions prior to version 1903 don't support group policy.
@@ -359,16 +371,19 @@ ADMX Info:
**Storage/ConfigStorageSenseGlobalCadence**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|||
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-Note: Versions prior to version 1903 don't support group policy.
+> [!NOTE]
+> Versions prior to version 1903 don't support group policy.
@@ -425,16 +440,19 @@ ADMX Info:
**Storage/ConfigStorageSenseRecycleBinCleanupThreshold**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|||
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-Note: Versions prior to version 1903 don't support group policy.
+> [!NOTE]
+> Versions prior to version 1903 don't support group policy.
@@ -485,11 +503,13 @@ ADMX Info:
**Storage/EnhancedStorageDevices**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -509,17 +529,17 @@ ADMX Info:
This policy setting configures whether or not Windows will activate an Enhanced Storage device.
-If you enable this policy setting, Windows won't activate unactivated Enhanced Storage devices.
+If you enable this policy setting, Windows won't activate un-activated Enhanced Storage devices.
-If you disable or don't configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
+If you disable or don't configure this policy setting, Windows will activate un-activated Enhanced Storage devices.
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -537,11 +557,13 @@ ADMX Info:
**Storage/RemovableDiskDenyWriteAccess**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -564,7 +586,7 @@ If you enable this policy setting, write access is denied to this removable stor
> [!Note]
> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."
-Supported values:
+Supported values for this policy are:
- 0 - Disable
- 1 - Enable
@@ -597,11 +619,13 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
**Storage/WPDDevicesDenyReadAccessPerDevice**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -621,16 +645,16 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
-- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
-- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
-- Mass Storage Class (MSC) over USB
+- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
+- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
+- Mass Storage Class (MSC) over USB.
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android.
>[!NOTE]
-> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, for example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
+> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer.
Supported values for this policy are:
- Not configured
@@ -659,11 +683,13 @@ ADMX Info:
**Storage/WPDDevicesDenyReadAccessPerUser**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -683,16 +709,16 @@ ADMX Info:
This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
-- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
-- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
-- Mass Storage Class (MSC) over USB
+- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
+- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
+- Mass Storage Class (MSC) over USB.
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android.
>[!NOTE]
-> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
+> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer.
Supported values for this policy are:
- Not configured
@@ -721,11 +747,13 @@ ADMX Info:
**Storage/WPDDevicesDenyWriteAccessPerDevice**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -745,16 +773,16 @@ ADMX Info:
This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
-- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
-- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
-- Mass Storage Class (MSC) over USB
+- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
+- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
+- Mass Storage Class (MSC) over USB.
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android.
>[!NOTE]
-> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
+> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer.
Supported values for this policy are:
- Not configured
@@ -783,11 +811,13 @@ ADMX Info:
**Storage/WPDDevicesDenyWriteAccessPerUser**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -807,16 +837,16 @@ ADMX Info:
This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
-- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
-- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
-- Mass Storage Class (MSC) over USB
+- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
+- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
+- Mass Storage Class (MSC) over USB.
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android.
>[!NOTE]
-> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
+> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer.
Supported values for this policy are:
- Not configured
@@ -846,16 +876,19 @@ ADMX Info:
**StorageHealthMonitor/DisableStorageHealthMonitor**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-Note: Versions prior to 21H2 will not support this policy
+> [!NOTE]
+> Versions prior to 21H2 will not support this policy
@@ -872,15 +905,15 @@ Note: Versions prior to 21H2 will not support this policy
Allows disable of Storage Health Monitor.
-Value type is integer.
+Supported value type is integer.
The following list shows the supported values:
-- 0 - Storage Health Monitor is Enabled
-- 1 - Storage Health Monitor is Disabled
+- 0 - Storage Health Monitor is Enabled.
+- 1 - Storage Health Monitor is Disabled.
@@ -889,3 +922,7 @@ The following list shows the supported values:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index a2830db2e2..eddad6eb01 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - System
-
-
@@ -118,11 +116,13 @@ manager: dansimp
**System/AllowBuildPreview**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -171,11 +171,13 @@ The following list shows the supported values:
**System/AllowCommercialDataPipeline**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -192,12 +194,12 @@ The following list shows the supported values:
-This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
+This policy setting configures an Azure Active Directory joined device, so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
To enable this behavior, you must complete two steps:
- 1. Enable this policy setting
- 2. Join an Azure Active Directory account to the device
+ 1. Enable this policy setting.
+ 2. Join an Azure Active Directory account to the device.
Windows diagnostic data is collected when the Allow Telemetry policy setting is set to 1 – **Required (Basic)** or above.
@@ -244,11 +246,11 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior, you must complete three steps:
- 1. Enable this policy setting
- 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above
- 3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace
+ 1. Enable this policy setting.
+ 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above.
+ 3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
-This setting has no effect on devices unless they're properly enrolled in Desktop Analytics.
+This setting has no effect on devices, unless they're properly enrolled in Desktop Analytics.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -268,11 +270,13 @@ The following list shows the supported values:
**System/AllowDeviceNameInDiagnosticData**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -289,7 +293,7 @@ The following list shows the supported values:
-This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data.
+This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data.
@@ -322,11 +326,13 @@ The following list shows the supported values:
**System/AllowEmbeddedMode**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -363,11 +369,13 @@ The following list shows the supported values:
**System/AllowExperimentation**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -389,7 +397,6 @@ The following list shows the supported values:
This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
-
Most restricted value is 0.
@@ -409,11 +416,13 @@ The following list shows the supported values:
**System/AllowFontProviders**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -451,8 +460,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 - false - No traffic to fs.microsoft.com and only locally installed fonts are available.
-- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
+- 0 - false - No traffic to fs.microsoft.com, and only locally installed fonts are available.
+- 1 - true (default) - There may be network traffic to fs.microsoft.com, and downloadable fonts are available to apps that support them.
@@ -469,11 +478,13 @@ To verify if System/AllowFontProviders is set to true:
**System/AllowLocation**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -492,7 +503,6 @@ To verify if System/AllowFontProviders is set to true:
Specifies whether to allow app access to the Location service.
-
Most restricted value is 0.
While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
@@ -531,7 +541,7 @@ This policy setting configures an Azure Active Directory joined device so that M
For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data).
-This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop.
+This setting has no effect on devices, unless they're properly enrolled in Microsoft Managed Desktop.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -546,11 +556,13 @@ If you disable this policy setting, devices may not appear in Microsoft Managed
**System/AllowStorageCard**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -575,7 +587,7 @@ Most restricted value is 0.
The following list shows the supported values:
-- 0 – SD card use isn't allowed and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card.
+- 0 – SD card use isn't allowed, and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card.
- 1 (default) – Allow a storage card.
@@ -587,11 +599,13 @@ The following list shows the supported values:
**System/AllowTelemetry**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -618,7 +632,6 @@ The following list shows the supported values for Windows 8.1:
- 1 – Allowed, except for Secondary Data Requests.
- 2 (default) – Allowed.
-
In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets):
@@ -657,11 +670,13 @@ ADMX Info:
**System/AllowUpdateComplianceProcessing**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -683,9 +698,9 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior, you must complete three steps:
- 1. Enable this policy setting
- 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above
- 3. Set the Configure the Commercial ID setting for your Update Compliance workspace
+ 1. Enable this policy setting.
+ 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above.
+ 3. Set the Configure the Commercial ID setting for your Update Compliance workspace.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -716,11 +731,13 @@ The following list shows the supported values:
**System/AllowUserToResetPhone**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -765,9 +782,9 @@ This policy setting configures an Azure Active Directory joined device so that M
To enable this behavior, you must complete three steps:
- 1. Enable this policy setting
- 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above
- 3. Join an Azure Active Directory account to the device
+ 1. Enable this policy setting.
+ 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above.
+ 3. Join an Azure Active Directory account to the device.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -788,11 +805,13 @@ The following list shows the supported values:
**System/BootStartDriverInitialization**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -815,19 +834,19 @@ This policy setting allows you to specify which boot-start drivers are initializ
- Bad, but required for boot: The driver has been identified as malware, but the computer can't successfully boot without loading this driver.
- Unknown: This driver hasn't been attested to by your malware detection application and hasn't been classified by the Early Launch Antimalware boot-start driver.
-If you enable this policy setting, you'll be able to choose which boot-start drivers to initialize the next time the computer is started.
+If you enable this policy setting, you'll be able to choose which boot-start drivers to initialize next time the computer is started.
-If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
+If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown, or Bad, but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
If your malware detection application doesn't include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -845,11 +864,13 @@ ADMX Info:
**System/ConfigureMicrosoft365UploadEndpoint**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -872,7 +893,7 @@ If your organization is participating in the program and has been instructed to
The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
-Value type is string.
+Supported value type is string.
ADMX Info:
@@ -900,11 +921,13 @@ ADMX Info:
**System/ConfigureTelemetryOptInChangeNotification**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -922,8 +945,9 @@ ADMX Info:
This policy setting determines whether a device shows notifications about telemetry levels to people on first sign in or when changes occur in Settings.
-If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing.
-If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first sign in and when changes occur in Settings.
+
+- If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing.
+- If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first sign in and when changes occur in Settings.
@@ -948,11 +972,13 @@ The following list shows the supported values:
**System/ConfigureTelemetryOptInSettingsUx**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1001,11 +1027,13 @@ The following list shows the supported values:
**System/DisableDeviceDelete**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1023,8 +1051,9 @@ The following list shows the supported values:
This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page.
-If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device.
-If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device.
+
+- If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device.
+- If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device.
@@ -1053,11 +1082,13 @@ ADMX Info:
**System/DisableDiagnosticDataViewer**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1075,8 +1106,9 @@ ADMX Info:
This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page.
-If you enable this policy setting, the Diagnostic Data Viewer won't be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device.
-If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page.
+
+- If you enable this policy setting, the Diagnostic Data Viewer won't be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device.
+- If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page.
@@ -1105,11 +1137,13 @@ ADMX Info:
**System/DisableEnterpriseAuthProxy**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1126,7 +1160,7 @@ ADMX Info:
-This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or don't configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy, to send data back to Microsoft on Windows 10. If you disable or don't configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy, to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
@@ -1146,11 +1180,13 @@ ADMX Info:
**System/DisableOneDriveFileSync**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1209,11 +1245,13 @@ To validate on Desktop, do the following steps:
**System/DisableSystemRestore**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1236,19 +1274,19 @@ This policy setting allows you to turn off System Restore.
System Restore enables users, in case of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
-If you enable this policy setting, System Restore is turned off, and the System Restore Wizard can't be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
+If you enable this policy setting, System Restore is turned off, then System Restore Wizard can't be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
-If you disable or don't configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
+If you disable or don't configure this policy setting, users can perform System Restore, and configure System Restore settings through System Protection.
Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -1266,11 +1304,13 @@ ADMX Info:
**System/FeedbackHubAlwaysSaveDiagnosticsLocally**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1305,11 +1345,13 @@ The following list shows the supported values:
**System/LimitDiagnosticLogCollection**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1326,7 +1368,7 @@ The following list shows the supported values:
-This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It's sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for more data collection.
+This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It's sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for more data collection.
If you disable or don't configure this policy setting, we may occasionally collect advanced diagnostic data if the user has opted to send optional diagnostic data.
@@ -1354,11 +1396,13 @@ The following list shows the supported values:
**System/LimitDumpCollection**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1375,7 +1419,7 @@ The following list shows the supported values:
-This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data.
+This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data.
With this policy setting being enabled, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only.
@@ -1404,11 +1448,13 @@ The following list shows the supported values:
**System/LimitEnhancedDiagnosticDataWindowsAnalytics**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1438,9 +1484,8 @@ To enable this behavior, you must complete two steps:
> [!NOTE]
> **Enhanced** is no longer an option for Windows Holographic, version 21H1.
- - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
+ - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full).
-
When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics.
Enabling enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft.
@@ -1465,11 +1510,13 @@ ADMX Info:
**System/TelemetryProxy**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1508,11 +1555,13 @@ ADMX Info:
**System/TurnOffFileHistory**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1560,3 +1609,7 @@ The following list shows the supported values:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index c979583ff0..7ecb2141a8 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - SystemServices
-
-
@@ -49,11 +47,13 @@ manager: dansimp
**SystemServices/ConfigureHomeGroupListenerServiceStartupMode**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -71,7 +71,9 @@ manager: dansimp
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+
+Default: Manual.
@@ -88,11 +90,13 @@ GP Info:
**SystemServices/ConfigureHomeGroupProviderServiceStartupMode**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -110,7 +114,9 @@ GP Info:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+
+Default: Manual.
@@ -127,11 +133,13 @@ GP Info:
**SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -149,7 +157,9 @@ GP Info:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+
+Default: Manual.
@@ -166,11 +176,13 @@ GP Info:
**SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -188,7 +200,9 @@ GP Info:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+
+Default: Manual.
@@ -205,11 +219,13 @@ GP Info:
**SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -227,7 +243,9 @@ GP Info:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+
+Default: Manual.
@@ -244,11 +262,13 @@ GP Info:
**SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -266,7 +286,9 @@ GP Info:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+
+Default: Manual.
@@ -281,3 +303,6 @@ GP Info:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 1cae440c6c..123b672f38 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - TaskManager
-
@@ -26,18 +25,19 @@ manager: dansimp
-
**TaskManager/AllowEndTask**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -57,9 +57,11 @@ manager: dansimp
This setting determines whether non-administrators can use Task Manager to end tasks.
-Value type is integer. Supported values:
+Supported value type is integer.
+
+Supported values:
- 0 - Disabled. EndTask functionality is blocked in TaskManager.
-- 1 - Enabled (default). Users can perform EndTask in TaskManager.
+- 1 - Enabled (default). Users can perform EndTask in TaskManager.
@@ -70,13 +72,15 @@ Value type is integer. Supported values:
**Validation procedure:**
-When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager
-When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager
+- When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager.
+- When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager.
-
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index 983bd29762..841d5e8f3e 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - TaskScheduler
-
-
@@ -34,11 +32,13 @@ manager: dansimp
**TaskScheduler/EnableXboxGameSaveTask**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -64,3 +64,6 @@ This setting determines whether the specific task is enabled (1) or disabled (0)
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index f65160e893..0d6692ed2c 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - TextInput
-
-
@@ -137,11 +135,13 @@ Placeholder only. Do not use in production environment.
**TextInput/AllowIMELogging**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -162,8 +162,7 @@ Placeholder only. Do not use in production environment.
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
-Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
+Allows the user to turn on and off the logging for incorrect conversion, and saving auto-tuning result to a file and history-based predictive input.
Most restricted value is 0.
@@ -171,8 +170,8 @@ Most restricted value is 0.
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed.
+- 1 (default) – Allowed.
@@ -183,11 +182,13 @@ The following list shows the supported values:
**TextInput/AllowIMENetworkAccess**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -227,11 +228,13 @@ The following list shows the supported values:
**TextInput/AllowInputPanel**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -252,7 +255,6 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the IT admin to disable the touch/handwriting keyboard on Windows.
Most restricted value is 0.
@@ -273,11 +275,13 @@ The following list shows the supported values:
**TextInput/AllowJapaneseIMESurrogatePairCharacters**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -298,10 +302,8 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese IME surrogate pair characters.
-
Most restricted value is 0.
@@ -320,11 +322,13 @@ The following list shows the supported values:
**TextInput/AllowJapaneseIVSCharacters**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -345,7 +349,6 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows Japanese Ideographic Variation Sequence (IVS) characters.
Most restricted value is 0.
@@ -366,11 +369,13 @@ The following list shows the supported values:
**TextInput/AllowJapaneseNonPublishingStandardGlyph**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -391,7 +396,6 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese non-publishing standard glyph.
Most restricted value is 0.
@@ -412,11 +416,13 @@ The following list shows the supported values:
**TextInput/AllowJapaneseUserDictionary**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -437,7 +443,6 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the Japanese user dictionary.
Most restricted value is 0.
@@ -458,11 +463,13 @@ The following list shows the supported values:
**TextInput/AllowKeyboardTextSuggestions**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -524,11 +531,13 @@ This policy has been deprecated.
**TextInput/AllowLanguageFeaturesUninstall**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -549,8 +558,7 @@ This policy has been deprecated.
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
-Allows the uninstall of language features, such as spell checkers, on a device.
+Allows the uninstall of language features, such as spell checkers on a device.
Most restricted value is 0.
@@ -578,11 +586,13 @@ The following list shows the supported values:
**TextInput/AllowLinguisticDataCollection**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -623,11 +633,13 @@ This setting supports a range of values between 0 and 1.
**TextInput/AllowTextInputSuggestionUpdate**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -668,11 +680,13 @@ The following list shows the supported values:
**TextInput/ConfigureJapaneseIMEVersion**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -713,11 +727,13 @@ The following list shows the supported values:
**TextInput/ConfigureSimplifiedChineseIMEVersion**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -758,11 +774,13 @@ The following list shows the supported values:
**TextInput/ConfigureTraditionalChineseIMEVersion**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -783,6 +801,7 @@ The following list shows the supported values:
> [!NOTE]
> - This policy is enforced only in Windows 10 for desktop.
> - This policy requires reboot to take effect.
+
Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop.
@@ -802,11 +821,13 @@ The following list shows the supported values:
**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -848,11 +869,13 @@ The following list shows the supported values:
**TextInput/ExcludeJapaneseIMEExceptJIS0208**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -873,7 +896,6 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
@@ -892,11 +914,13 @@ The following list shows the supported values:
**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -917,7 +941,6 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
@@ -936,11 +959,13 @@ The following list shows the supported values:
**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -961,7 +986,6 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-
Allows the users to restrict character code range of conversion by setting the character filter.
@@ -980,11 +1004,13 @@ The following list shows the supported values:
**TextInput/ForceTouchKeyboardDockedState**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1021,11 +1047,13 @@ The following list shows the supported values:
**TextInput/TouchKeyboardDictationButtonAvailability**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1062,11 +1090,13 @@ The following list shows the supported values:
**TextInput/TouchKeyboardEmojiButtonAvailability**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1103,11 +1133,13 @@ The following list shows the supported values:
**TextInput/TouchKeyboardFullModeAvailability**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1131,7 +1163,7 @@ Specifies whether the full keyboard mode is enabled or disabled for the touch ke
The following list shows the supported values:
-- 0 (default) - The OS determines when it's most appropriate to be available.
+- 0 (default) - The OS determines, when it's most appropriate to be available.
- 1 - Full keyboard is always available.
- 2 - Full keyboard is always disabled.
@@ -1144,11 +1176,13 @@ The following list shows the supported values:
**TextInput/TouchKeyboardHandwritingModeAvailability**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1172,7 +1206,7 @@ Specifies whether the handwriting input panel is enabled or disabled. When this
The following list shows the supported values:
-- 0 (default) - The OS determines when it's most appropriate to be available.
+- 0 (default) - The OS determines, when it's most appropriate to be available.
- 1 - Handwriting input panel is always available.
- 2 - Handwriting input panel is always disabled.
@@ -1185,11 +1219,13 @@ The following list shows the supported values:
**TextInput/TouchKeyboardNarrowModeAvailability**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1213,7 +1249,7 @@ Specifies whether the narrow keyboard mode is enabled or disabled for the touch
The following list shows the supported values:
-- 0 (default) - The OS determines when it's most appropriate to be available.
+- 0 (default) - The OS determines, when it's most appropriate to be available.
- 1 - Narrow keyboard is always available.
- 2 - Narrow keyboard is always disabled.
@@ -1226,11 +1262,13 @@ The following list shows the supported values:
**TextInput/TouchKeyboardSplitModeAvailability**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1254,7 +1292,7 @@ Specifies whether the split keyboard mode is enabled or disabled for the touch k
The following list shows the supported values:
-- 0 (default) - The OS determines when it's most appropriate to be available.
+- 0 (default) - The OS determines, when it's most appropriate to be available.
- 1 - Split keyboard is always available.
- 2 - Split keyboard is always disabled.
@@ -1267,11 +1305,13 @@ The following list shows the supported values:
**TextInput/TouchKeyboardWideModeAvailability**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1295,7 +1335,7 @@ Specifies whether the wide keyboard mode is enabled or disabled for the touch ke
The following list shows the supported values:
-- 0 (default) - The OS determines when it's most appropriate to be available.
+- 0 (default) - The OS determines, when it's most appropriate to be available.
- 1 - Wide keyboard is always available.
- 2 - Wide keyboard is always disabled.
@@ -1305,3 +1345,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 09a8420d64..a580e736f3 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - TimeLanguageSettings
-
-
@@ -43,11 +41,13 @@ manager: dansimp
**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -97,11 +97,13 @@ ADMX Info:
**TimeLanguageSettings/ConfigureTimeZone**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -141,11 +143,13 @@ Specifies the time zone to be applied to the device. This policy name is the sta
**TimeLanguageSettings/MachineUILanguageOverwrite**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -195,11 +199,13 @@ ADMX Info:
**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -237,3 +243,6 @@ If you disable or don't configure this policy setting, there's no language featu
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index b19352d765..d588058db0 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -12,8 +12,6 @@ ms.date: 09/27/2019
# Policy CSP - Troubleshooting
-
-
@@ -32,11 +30,13 @@ ms.date: 09/27/2019
**Troubleshooting/AllowRecommendations**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -54,7 +54,7 @@ ms.date: 09/27/2019
-This policy setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains or IT environments.
+This policy setting allows IT admins to configure, how to apply recommended troubleshooting for known problems on the devices in their domains or IT environments.
@@ -98,3 +98,6 @@ By default, this policy isn't configured and the SKU based defaults are used for
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 36c96ffa8d..4c9d94d790 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -241,11 +241,13 @@ ms.collection: highpri
**Update/ActiveHoursEnd**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -263,10 +265,10 @@ ms.collection: highpri
-Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time.
+Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
@@ -290,11 +292,13 @@ ADMX Info:
**Update/ActiveHoursMaxRange**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -336,11 +340,13 @@ ADMX Info:
**Update/ActiveHoursStart**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -361,7 +367,7 @@ ADMX Info:
Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
@@ -385,11 +391,13 @@ ADMX Info:
**Update/AllowAutoUpdate**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -411,7 +419,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
Supported operations are Get and Replace.
-If the policy isn't configured, end-users get the default behavior (Auto install and restart).
+If the policy isn't configured, end-users get the default behavior (Auto download and install).
@@ -426,18 +434,17 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
-- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
-- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
-- 5 – Turn off automatic updates.
-
+- 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page.
+- 5: Turn off automatic updates.
+- 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you won't get security updates as well.
-
@@ -447,11 +454,13 @@ The following list shows the supported values:
**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -469,7 +478,7 @@ The following list shows the supported values:
-Option to download updates automatically over metered connections (off by default). Value type is integer.
+Option to download updates automatically over metered connections (off by default). The supported value type is integer.
A significant number of devices primarily use cellular data and don't have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
@@ -499,11 +508,13 @@ The following list shows the supported values:
**Update/AllowMUUpdateService**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -536,8 +547,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not configured.
-- 1 – Allowed. Accepts updates received through Microsoft Update.
+- 0 - Not configured.
+- 1 - Allowed. Accepts updates received through Microsoft Update.
> [!NOTE]
> Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:.
@@ -556,11 +567,13 @@ $MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d")
**Update/AllowNonMicrosoftSignedUpdate**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -582,14 +595,14 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
Supported operations are Get and Replace.
-This policy is specific to desktop and local publishing via WSUS for third-party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+This policy is specific to desktop and local publishing via WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). This policy allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft, when the update is found on an intranet Microsoft update service location.
The following list shows the supported values:
-- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
-- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
+- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
@@ -600,11 +613,13 @@ The following list shows the supported values:
**Update/AllowUpdateService**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -624,12 +639,12 @@ The following list shows the supported values:
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
-Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store
+Even when Windows Update is configured to receive updates from an intranet update service. It will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
> [!NOTE]
-> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
@@ -643,8 +658,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Update service isn't allowed.
-- 1 (default) – Update service is allowed.
+- 0 - Update service isn't allowed.
+- 1 (default) - Update service is allowed.
@@ -655,11 +670,13 @@ The following list shows the supported values:
**Update/AutoRestartDeadlinePeriodInDays**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -679,9 +696,9 @@ The following list shows the supported values:
For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled.
-The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
+The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks.
-Value type is integer. Default is seven days.
+Supported value type is integer. Default is seven days.
Supported values range: 2-30.
@@ -692,7 +709,8 @@ If you enable this policy, a restart will automatically occur the specified numb
If you disable or don't configure this policy, the PC will restart according to the default schedule.
If any of the following two policies are enabled, this policy has no effect:
-1. No autorestart with signed-in users for scheduled automatic updates installations.
+
+1. No autorestart with signed-in users for the scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
@@ -713,11 +731,13 @@ ADMX Info:
**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -737,9 +757,9 @@ ADMX Info:
For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled.
-The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
+The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks.
-Value type is integer. Default is 7 days.
+Supported value type is integer. Default is 7 days.
Supported values range: 2-30.
@@ -750,7 +770,8 @@ If you enable this policy, a restart will automatically occur the specified numb
If you disable or don't configure this policy, the PC will restart according to the default schedule.
If any of the following two policies are enabled, this policy has no effect:
-1. No autorestart with logged on users for scheduled automatic updates installations.
+
+1. No autorestart with logged on users for the scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
@@ -771,11 +792,13 @@ ADMX Info:
**Update/AutoRestartNotificationSchedule**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -819,11 +842,13 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
**Update/AutoRestartRequiredNotificationDismissal**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -856,8 +881,8 @@ ADMX Info:
The following list shows the supported values:
-- 1 (default) – Auto Dismissal.
-- 2 – User Dismissal.
+- 1 (default) - Auto Dismissal.
+- 2 - User Dismissal.
@@ -868,11 +893,13 @@ The following list shows the supported values:
**Update/AutomaticMaintenanceWakeUp**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -898,6 +925,7 @@ This policy setting allows you to configure if Automatic Maintenance should make
If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if necessary.
If you disable or don't configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies.
+
ADMX Info:
@@ -926,11 +954,13 @@ Supported values:
**Update/BranchReadinessLevel**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -966,7 +996,7 @@ The following list shows the supported values:
- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709)
- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709)
- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709)
-- 16 {0x10} - (default) General Availability Channel (Targeted). Device gets all applicable feature updates from General Availability Channel (Targeted).
+- 16 {0x10} - (default) General Availability Channel (Targeted). Device gets all applicable feature updates from General Availability Channel (Targeted)
- 32 {0x20} - General Availability Channel. Device gets feature updates from General Availability Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the General Availability Channel and General Availability Channel (Targeted) into a single General Availability Channel with a value of 16)
@@ -978,11 +1008,13 @@ The following list shows the supported values:
**Update/ConfigureDeadlineForFeatureUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1030,11 +1062,13 @@ Default value is 7.
**Update/ConfigureDeadlineForQualityUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1082,11 +1116,13 @@ Default value is 7.
**Update/ConfigureDeadlineGracePeriod**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1104,7 +1140,7 @@ Default value is 7.
-When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy isn't, then the default value of 2 will be used.
+When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy isn't, then the default value of 2 will be used.
@@ -1117,7 +1153,7 @@ ADMX Info:
-Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update.
+Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically, after installing a required quality update.
Default value is 2.
@@ -1135,11 +1171,13 @@ Default value is 2.
**Update/ConfigureDeadlineGracePeriodForFeatureUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1158,7 +1196,7 @@ Default value is 2.
-When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy isn't, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used.
+When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy isn't, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used.
@@ -1171,7 +1209,7 @@ ADMX Info:
-Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update.
+Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically, after installing a required feature update.
Default value is 2.
@@ -1189,11 +1227,13 @@ Default value is 2.
**Update/ConfigureDeadlineNoAutoReboot**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1245,11 +1285,13 @@ Supported values:
**Update/ConfigureFeatureUpdateUninstallPeriod**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1267,7 +1309,11 @@ Supported values:
-Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
+Enable IT admin to configure feature update uninstall period.
+
+Values range 2 - 60 days.
+
+Default is 10 days.
@@ -1278,11 +1324,13 @@ Enable IT admin to configure feature update uninstall period. Values range 2 - 6
**Update/DeferFeatureUpdatesPeriodInDays**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1306,7 +1354,7 @@ Defers Feature Updates for the specified number of days.
Supported values are 0-365 days.
> [!IMPORTANT]
-> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
@@ -1326,11 +1374,13 @@ ADMX Info:
**Update/DeferQualityUpdatesPeriodInDays**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1370,11 +1420,13 @@ ADMX Info:
**Update/DeferUpdatePeriod**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1393,8 +1445,7 @@ ADMX Info:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to four weeks.
@@ -1448,11 +1499,13 @@ ADMX Info:
**Update/DeferUpgradePeriod**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1471,8 +1524,7 @@ ADMX Info:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify other upgrade delays for up to eight months.
@@ -1498,11 +1550,13 @@ ADMX Info:
**Update/DetectionFrequency**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1540,11 +1594,13 @@ ADMX Info:
**Update/DisableDualScan**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1562,13 +1618,14 @@ ADMX Info:
-Don't allow update deferral policies to cause scans against Windows Update. If this policy isn't enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
+Don't allow update deferral policies to cause scans against Windows Update. If this policy isn't enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607).
This setting is the same as the Group Policy in **Windows Components** > **Windows Update**: "Do not allow update deferral policies to cause scans against Windows Update."
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -1594,11 +1651,13 @@ The following list shows the supported values:
**Update/DisableWUfBSafeguards**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1616,20 +1675,20 @@ The following list shows the supported values:
-Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards.
+Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards.
Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience.
The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
-IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy.
+IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy.
> [!NOTE]
> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
>
-> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.
+> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.
>
-> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues.
+> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues.
@@ -1655,11 +1714,13 @@ The following list shows the supported values:
**Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1693,8 +1754,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) - Enforce certificate pinning
-- 1 - Don't enforce certificate pinning
+- 0 (default) - Enforce certificate pinning.
+- 1 - Don't enforce certificate pinning.
@@ -1705,11 +1766,13 @@ The following list shows the supported values:
**Update/EngagedRestartDeadline**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1729,23 +1792,25 @@ The following list shows the supported values:
For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Autorestart to Engaged restart (pending user schedule) to be executed automatically, within the specified period.
-The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
+The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks.
> [!NOTE]
> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule aren't set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period.
-Value type is integer. Default is 14.
+Supporting value type is integer.
+
+Default is 14.
Supported value range: 2 - 30.
-If no deadline is specified or deadline is set to 0, the restart won't be automatically executed and will remain Engaged restart (for example, pending user scheduling).
+If no deadline is specified or deadline is set to 0, the restart won't be automatically executed, and will remain Engaged restart (for example, pending user scheduling).
If you disable or don't configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
-1. No autorestart with logged on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time
-3. Specify deadline before autorestart for update installation
+1. No autorestart with logged on users for scheduled automatic updates installations.
+2. Always automatically restart at scheduled time.
+3. Specify deadline before autorestart for update installation.
@@ -1765,11 +1830,13 @@ ADMX Info:
**Update/EngagedRestartDeadlineForFeatureUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1789,7 +1856,9 @@ ADMX Info:
For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be executed automatically, within the specified period.
-Value type is integer. Default is 14.
+Supported value type is integer.
+
+Default is 14.
Supported value range: 2-30.
@@ -1798,9 +1867,9 @@ If no deadline is specified or deadline is set to 0, the restart won't be automa
If you disable or don't configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
-1. No autorestart with logged on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time
-3. Specify deadline before autorestart for update installation
+1. No autorestart with logged on users for scheduled automatic updates installations.
+2. Always automatically restart at scheduled time.
+3. Specify deadline before autorestart for update installation.
@@ -1820,11 +1889,13 @@ ADMX Info:
**Update/EngagedRestartSnoozeSchedule**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1844,16 +1915,18 @@ ADMX Info:
For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days.
-Value type is integer. Default is three days.
+Supported value type is integer.
+
+Default is three days.
Supported value range: 1-3.
If you disable or don't configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
-1. No autorestart with logged on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time
-3. Specify deadline before autorestart for update installation
+1. No autorestart with logged on users for scheduled automatic updates installations.
+2. Always automatically restart at scheduled time.
+3. Specify deadline before autorestart for update installation.
@@ -1873,11 +1946,13 @@ ADMX Info:
**Update/EngagedRestartSnoozeScheduleForFeatureUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1897,16 +1972,18 @@ ADMX Info:
For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days.
-Value type is integer. Default is three days.
+Supported value type is integer.
+
+Default is three days.
Supported value range: 1-3.
If you disable or don't configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
-1. No autorestart with logged on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time
-3. Specify deadline before autorestart for update installation
+1. No autorestart with logged on users for scheduled automatic updates installations.
+2. Always automatically restart at scheduled time.
+3. Specify deadline before autorestart for update installation.
@@ -1926,11 +2003,13 @@ ADMX Info:
**Update/EngagedRestartTransitionSchedule**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1950,16 +2029,18 @@ ADMX Info:
For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-Value type is integer. Default value is 7 days.
+Supported value type is integer.
+
+Default value is 7 days.
Supported value range: 2 - 30.
If you disable or don't configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
-1. No autorestart with logged on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time
-3. Specify deadline before autorestart for update installation
+1. No autorestart with logged on users for scheduled automatic updates installations.
+2. Always automatically restart at scheduled time.
+3. Specify deadline before autorestart for update installation.
@@ -1979,11 +2060,13 @@ ADMX Info:
**Update/EngagedRestartTransitionScheduleForFeatureUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2003,16 +2086,18 @@ ADMX Info:
For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-Value type is integer. Default value is seven days.
+Supported value type is integer.
+
+Default value is seven days.
Supported value range: 2-30.
If you disable or don't configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
-1. No autorestart with logged on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time
-3. Specify deadline before autorestart for update installation
+1. No autorestart with logged on users for scheduled automatic updates installations.
+2. Always automatically restart at scheduled time.
+3. Specify deadline before autorestart for update installation.
@@ -2032,11 +2117,13 @@ ADMX Info:
**Update/ExcludeWUDriversInQualityUpdate**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2069,8 +2156,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Allow Windows Update drivers.
-- 1 – Exclude Windows Update drivers.
+- 0 (default) - Allow Windows Update drivers.
+- 1 - Exclude Windows Update drivers.
@@ -2081,11 +2168,13 @@ The following list shows the supported values:
**Update/FillEmptyContentUrls**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2103,10 +2192,10 @@ The following list shows the supported values:
-Allows Windows Update Agent to determine the download URL when it's missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
+Allows Windows Update Agent to determine the download URL when it's missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
> [!NOTE]
-> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service doesn't provide download URLs in the update metadata for files which are available on the alternate download server.
+> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service doesn't provide download URLs in the update metadata for files which are available on the alternate download server.
@@ -2121,8 +2210,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Disabled.
-- 1 – Enabled.
+- 0 (default) - Disabled.
+- 1 - Enabled.
@@ -2133,11 +2222,13 @@ The following list shows the supported values:
**Update/IgnoreMOAppDownloadLimit**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2164,8 +2255,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
The following list shows the supported values:
-- 0 (default) – Don't ignore MO download limit for apps and their updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
+- 0 (default) - Don't ignore MO download limit for apps and their updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates.
@@ -2186,11 +2277,13 @@ To validate this policy:
**Update/IgnoreMOUpdateDownloadLimit**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2217,8 +2310,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
The following list shows the supported values:
-- 0 (default) – Don't ignore MO download limit for OS updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
+- 0 (default) - Don't ignore MO download limit for OS updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates.
@@ -2239,11 +2332,13 @@ To validate this policy:
**Update/ManagePreviewBuilds**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2261,7 +2356,9 @@ To validate this policy:
-Used to manage Windows 10 Insider Preview builds. Value type is integer.
+Used to manage Windows 10 Insider Preview builds.
+
+Supported value type is integer.
@@ -2276,9 +2373,9 @@ ADMX Info:
The following list shows the supported values:
-- 0 - Disable Preview builds
-- 1 - Disable Preview builds once the next release is public
-- 2 - Enable Preview builds
+- 0 - Disable Preview builds.
+- 1 - Disable Preview builds once the next release is public.
+- 2 - Enable Preview builds.
@@ -2289,11 +2386,13 @@ The following list shows the supported values:
**Update/PauseDeferrals**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2312,12 +2411,10 @@ The following list shows the supported values:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
@@ -2333,8 +2430,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Deferrals aren't paused.
-- 1 – Deferrals are paused.
+- 0 (default) - Deferrals aren't paused.
+- 1 - Deferrals are paused.
@@ -2345,11 +2442,13 @@ The following list shows the supported values:
**Update/PauseFeatureUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2368,7 +2467,7 @@ The following list shows the supported values:
-Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you're running Windows 10, version 1703 or later.
+Allows IT Admins to pause feature updates for up to 35 days. We recommend that you use the *Update/PauseFeatureUpdatesStartTime* policy, if you're running Windows 10, version 1703 or later.
@@ -2383,8 +2482,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Feature Updates aren't paused.
-- 1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
+- 0 (default) - Feature Updates aren't paused.
+- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
@@ -2395,11 +2494,13 @@ The following list shows the supported values:
**Update/PauseFeatureUpdatesStartTime**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2419,7 +2520,8 @@ The following list shows the supported values:
Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
-Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
+- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28).
+- Supported operations are Add, Get, Delete, and Replace.
@@ -2439,11 +2541,13 @@ ADMX Info:
**Update/PauseQualityUpdates**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2476,8 +2580,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Quality Updates aren't paused.
-- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
+- 0 (default) - Quality Updates aren't paused.
+- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
@@ -2488,11 +2592,13 @@ The following list shows the supported values:
**Update/PauseQualityUpdatesStartTime**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2512,7 +2618,8 @@ The following list shows the supported values:
Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
-Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
+- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28).
+- Supported operations are Add, Get, Delete, and Replace.
@@ -2543,11 +2650,13 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
**Update/ProductVersion**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2580,7 +2689,7 @@ ADMX Info:
-Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”.
+Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10".
@@ -2593,7 +2702,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
1. The applicable Windows license was purchased through volume licensing, or
-2. That you're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms).
+2. You're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms).
@@ -2601,11 +2710,13 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
**Update/RequireDeferUpgrade**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|No|
+|Windows SE|No|No|
|Business|Yes|No|
|Enterprise|Yes|No|
|Education|Yes|No|
@@ -2624,8 +2735,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to General Availability Channel train.
@@ -2640,8 +2750,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – User gets upgrades from General Availability Channel (Targeted).
-- 1 – User gets upgrades from General Availability Channel.
+- 0 (default) - User gets upgrades from General Availability Channel (Targeted).
+- 1 - User gets upgrades from General Availability Channel.
@@ -2652,11 +2762,13 @@ The following list shows the supported values:
**Update/RequireUpdateApproval**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|No|
+|Windows SE|No|No|
|Business|Yes|No|
|Enterprise|Yes|No|
|Education|Yes|No|
@@ -2675,8 +2787,7 @@ The following list shows the supported values:
> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved.
@@ -2686,8 +2797,8 @@ Supported operations are Get and Replace.
The following list shows the supported values:
-- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+- 0 - Not configured. The device installs all applicable updates.
+- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
@@ -2698,11 +2809,13 @@ The following list shows the supported values:
**Update/ScheduleImminentRestartWarning**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2746,11 +2859,13 @@ Supported values are 15, 30, or 60 (minutes).
**Update/ScheduleRestartWarning**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2769,8 +2884,7 @@ Supported values are 15, 30, or 60 (minutes).
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Allows the IT Admin to specify the period for autorestart warning reminder notifications.
@@ -2798,11 +2912,13 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
**Update/ScheduledInstallDay**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2822,7 +2938,7 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
Enables the IT admin to schedule the day of the update installation.
-The data type is an integer.
+Supported data type is an integer.
Supported operations are Add, Delete, Get, and Replace.
@@ -2839,14 +2955,14 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Every day
-- 1 – Sunday
-- 2 – Monday
-- 3 – Tuesday
-- 4 – Wednesday
-- 5 – Thursday
-- 6 – Friday
-- 7 – Saturday
+- 0 (default) - Every day
+- 1 - Sunday
+- 2 - Monday
+- 3 - Tuesday
+- 4 - Wednesday
+- 5 - Thursday
+- 6 - Friday
+- 7 - Saturday
@@ -2857,11 +2973,13 @@ The following list shows the supported values:
**Update/ScheduledInstallEveryWeek**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2879,11 +2997,14 @@ The following list shows the supported values:
-Enables the IT admin to schedule the update installation on every week. Value type is integer. Supported values:
-
-
0 - no update in the schedule
-
1 - update is scheduled every week
-
+Enables the IT admin to schedule the update installation on every week.
+
+Supported Value type is integer.
+
+Supported values:
+- 0 - no update in the schedule.
+- 1 - update is scheduled every week.
+
@@ -2903,11 +3024,13 @@ ADMX Info:
**Update/ScheduledInstallFirstWeek**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2925,11 +3048,14 @@ ADMX Info:
-Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
-
-
0 - no update in the schedule
-
1 - update is scheduled every first week of the month
-
+Enables the IT admin to schedule the update installation on the first week of the month.
+
+Supported value type is integer.
+
+Supported values:
+- 0 - no update in the schedule.
+- 1 - update is scheduled every first week of the month.
+
@@ -2949,11 +3075,13 @@ ADMX Info:
**Update/ScheduledInstallFourthWeek**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -2971,11 +3099,14 @@ ADMX Info:
-Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
-
-
0 - no update in the schedule
-
1 - update is scheduled every fourth week of the month
-
+Enables the IT admin to schedule the update installation on the fourth week of the month.
+
+Supported value type is integer.
+
+Supported values:
+- 0 - no update in the schedule.
+- 1 - update is scheduled every fourth week of the month.
+
@@ -2995,11 +3126,13 @@ ADMX Info:
**Update/ScheduledInstallSecondWeek**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3017,11 +3150,15 @@ ADMX Info:
-Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
-
-
0 - no update in the schedule
-
1 - update is scheduled every second week of the month
-
+Enables the IT admin to schedule the update installation on the second week of the month.
+
+Supported vlue type is integer.
+
+Supported values:
+
+- 0 - no update in the schedule.
+- 1 - update is scheduled every second week of the month.
+
@@ -3041,11 +3178,13 @@ ADMX Info:
**Update/ScheduledInstallThirdWeek**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3063,11 +3202,14 @@ ADMX Info:
-Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
-
-
0 - no update in the schedule
-
1 - update is scheduled every third week of the month
-
+Enables the IT admin to schedule the update installation on the third week of the month.
+
+Supported value type is integer.
+
+Supported values:
+- 0 - no update in the schedule.
+- 1 - update is scheduled every third week of the month.
+
@@ -3087,11 +3229,13 @@ ADMX Info:
**Update/ScheduledInstallTime**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3110,12 +3254,11 @@ ADMX Info:
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Enables the IT admin to schedule the time of the update installation.
-The data type is an integer.
+The supported data type is an integer.
Supported operations are Add, Delete, Get, and Replace.
@@ -3141,11 +3284,13 @@ ADMX Info:
**Update/SetAutoRestartNotificationDisable**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3178,8 +3323,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Enabled
-- 1 – Disabled
+- 0 (default) - Enabled
+- 1 - Disabled
@@ -3190,11 +3335,13 @@ The following list shows the supported values:
**Update/SetDisablePauseUXAccess**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3214,7 +3361,11 @@ The following list shows the supported values:
This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user can't access the "Pause updates" feature.
-Value type is integer. Default is 0. Supported values 0, 1.
+Supported value type is integer.
+
+Default is 0.
+
+Supported values 0, 1.
@@ -3231,11 +3382,13 @@ ADMX Info:
**Update/SetDisableUXWUAccess**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3255,7 +3408,11 @@ ADMX Info:
This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features.
-Value type is integer. Default is 0. Supported values 0, 1.
+Supported value type is integer.
+
+Default is 0.
+
+Supported values 0, 1.
@@ -3272,11 +3429,13 @@ ADMX Info:
**Update/SetEDURestart**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3296,7 +3455,7 @@ ADMX Info:
For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
-When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart.
+When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period, after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart.
@@ -3322,11 +3481,13 @@ The following list shows the supported values:
**Update/SetPolicyDrivenUpdateSourceForDriver**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3352,7 +3513,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOther
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3366,8 +3527,8 @@ ADMX Info:
The following list shows the supported values:
-- 0: (Default) Detect, download, and deploy Driver from Windows Update
-- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS)
+- 0: (Default) Detect, download, and deploy Driver from Windows Update.
+- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS).
@@ -3378,11 +3539,13 @@ The following list shows the supported values:
**Update/SetPolicyDrivenUpdateSourceForFeature**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3408,7 +3571,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOther
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3422,8 +3585,8 @@ ADMX Info:
The following list shows the supported values:
-- 0: (Default) Detect, download, and deploy Feature from Windows Update
-- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS)
+- 0: (Default) Detect, download, and deploy Feature from Windows Update.
+- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS).
@@ -3434,11 +3597,13 @@ The following list shows the supported values:
**Update/SetPolicyDrivenUpdateSourceForOther**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3464,7 +3629,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForDriver
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3478,8 +3643,8 @@ ADMX Info:
The following list shows the supported values:
-- 0: (Default) Detect, download, and deploy Other from Windows Update
-- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS)
+- 0: (Default) Detect, download, and deploy Other from Windows Update.
+- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS).
@@ -3490,11 +3655,13 @@ The following list shows the supported values:
**Update/SetPolicyDrivenUpdateSourceForQuality**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3520,7 +3687,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOther
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3534,8 +3701,8 @@ ADMX Info:
The following list shows the supported values:
-- 0: (Default) Detect, download, and deploy Quality from Windows Update
-- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS)
+- 0: (Default) Detect, download, and deploy Quality from Windows Update.
+- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS).
@@ -3546,11 +3713,13 @@ The following list shows the supported values:
**Update/SetProxyBehaviorForUpdateDetection**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3587,6 +3756,7 @@ The following list shows the supported values:
- 0 (default) - Allow system proxy only for HTTP scans.
- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails.
+
> [!NOTE]
> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure.
@@ -3599,11 +3769,13 @@ The following list shows the supported values:
**Update/TargetReleaseVersion**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3622,6 +3794,7 @@ The following list shows the supported values:
Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](/windows/release-health/release-information/).
+
ADMX Info:
@@ -3633,7 +3806,7 @@ ADMX Info:
-Value type is a string containing Windows 10 version number. For example, 1809, 1903.
+Supported value type is a string containing Windows 10 version number. For example, 1809, 1903.
@@ -3649,11 +3822,13 @@ Value type is a string containing Windows 10 version number. For example, 1809,
**Update/UpdateNotificationLevel**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3675,9 +3850,9 @@ Display options for update notifications. This policy allows you to define what
Options:
-- 0 (default) – Use the default Windows Update notifications
-- 1 – Turn off all notifications, excluding restart warnings
-- 2 – Turn off all notifications, including restart warnings
+- 0 (default) - Use the default Windows Update notifications.
+- 1 - Turn off all notifications, excluding restart warnings.
+- 2 - Turn off all notifications, including restart warnings.
> [!IMPORTANT]
> If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
@@ -3708,11 +3883,13 @@ ADMX Info:
**Update/UpdateServiceUrl**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3782,11 +3959,13 @@ Example
**Update/UpdateServiceUrlAlternate**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -3808,9 +3987,9 @@ Specifies an alternate intranet server to host updates from Microsoft Update. Yo
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-Value type is string and the default value is an empty string, "". If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+Supported value type is string and the default value is an empty string, "". If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!NOTE]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
@@ -3831,3 +4010,7 @@ ADMX Info:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 3d13322718..9d126f072e 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - UserRights
-
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
@@ -77,7 +76,7 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
> [!NOTE]
> `` is the entity encoding of 0xF000.
-For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:
+For example, the following syntax grants user rights to Authenticated Users and Replicator user groups.:
```xml
@@ -197,11 +196,13 @@ For example, the following syntax grants user rights to a specific user or group
**UserRights/AccessCredentialManagerAsTrustedCaller**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -236,11 +237,13 @@ GP Info:
**UserRights/AccessFromNetwork**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -259,6 +262,7 @@ GP Info:
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services isn't affected by this user right.
+
> [!NOTE]
> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
@@ -277,11 +281,13 @@ GP Info:
**UserRights/ActAsPartOfTheOperatingSystem**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -300,6 +306,7 @@ GP Info:
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
@@ -318,11 +325,13 @@ GP Info:
**UserRights/AllowLocalLogOn**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -341,6 +350,7 @@ GP Info:
This user right determines which users can sign in to the computer.
+
> [!NOTE]
> Modifying this setting might affect compatibility with clients, services, and applications. For compatibility information about this setting, see [Allow log on locally](https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
@@ -359,11 +369,13 @@ GP Info:
**UserRights/BackupFilesAndDirectories**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -382,6 +394,7 @@ GP Info:
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Read.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, assign this user right to trusted users only.
@@ -400,11 +413,13 @@ GP Info:
**UserRights/ChangeSystemTime**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -423,8 +438,9 @@ GP Info:
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
> [!CAUTION]
-> Configuring user rights replaces existing users or groups previously assigned those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy.
+> Configuring user rights replaces existing users or groups previously assigned to those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy.
>
> Not including the Local Service account will result in failure with the following error:
>
@@ -447,11 +463,13 @@ GP Info:
**UserRights/CreateGlobalObjects**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -470,6 +488,7 @@ GP Info:
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
@@ -488,11 +507,13 @@ GP Info:
**UserRights/CreatePageFile**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -527,11 +548,13 @@ GP Info:
**UserRights/CreatePermanentSharedObjects**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -566,11 +589,13 @@ GP Info:
**UserRights/CreateSymbolicLinks**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -589,8 +614,10 @@ GP Info:
This user right determines if the user can create a symbolic link from the computer they're signed in to.
+
> [!CAUTION]
> This privilege should be given to trusted users only. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.
+
> [!NOTE]
> This setting can be used in conjunction with a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
@@ -609,11 +636,13 @@ GP Info:
**UserRights/CreateToken**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -632,6 +661,7 @@ GP Info:
This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system.
@@ -650,11 +680,13 @@ GP Info:
**UserRights/DebugPrograms**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -673,6 +705,7 @@ GP Info:
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
@@ -691,11 +724,13 @@ GP Info:
**UserRights/DenyAccessFromNetwork**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -713,7 +748,7 @@ GP Info:
-This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access to this computer from the network policy setting if a user account is subject to both policies.
@@ -730,11 +765,13 @@ GP Info:
**UserRights/DenyLocalLogOn**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -772,11 +809,13 @@ GP Info:
**UserRights/DenyRemoteDesktopServicesLogOn**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -811,11 +850,13 @@ GP Info:
**UserRights/EnableDelegation**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -834,6 +875,7 @@ GP Info:
This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set.
+
> [!CAUTION]
> Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
@@ -852,11 +894,13 @@ GP Info:
**UserRights/GenerateSecurityAudits**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -891,11 +935,13 @@ GP Info:
**UserRights/ImpersonateClient**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -914,14 +960,19 @@ GP Info:
Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
+
> [!NOTE]
> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
-1) The access token that is being impersonated is for this user.
-2) The user, in this sign-in session, created the access token by signing in to the network with explicit credentials.
-3) The requested level is less than Impersonate, such as Anonymous or Identify.
+
+1. The access token that is being impersonated is for this user.
+1. The user, in this sign-in session, created the access token by signing in to the network with explicit credentials.
+1. The requested level is less than Impersonate, such as Anonymous or Identify.
+
Because of these factors, users don't usually need this user right.
+
> [!WARNING]
> If you enable this setting, programs that previously had the Impersonate privilege might lose it, and they might not run.
@@ -940,11 +991,13 @@ GP Info:
**UserRights/IncreaseSchedulingPriority**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -984,11 +1037,13 @@ GP Info:
**UserRights/LoadUnloadDeviceDrivers**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1007,6 +1062,7 @@ GP Info:
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system.
@@ -1025,11 +1081,13 @@ GP Info:
**UserRights/LockMemory**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1064,11 +1122,13 @@ GP Info:
**UserRights/ManageAuditingAndSecurityLog**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1103,11 +1163,13 @@ GP Info:
**UserRights/ManageVolume**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1125,7 +1187,7 @@ GP Info:
-This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+This user right determines which users and groups can run maintenance tasks on a volume, such as remote de-fragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
@@ -1142,11 +1204,13 @@ GP Info:
**UserRights/ModifyFirmwareEnvironment**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1165,6 +1229,7 @@ GP Info:
This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should be modified only by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.
+
> [!NOTE]
> This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
@@ -1183,11 +1248,13 @@ GP Info:
**UserRights/ModifyObjectLabel**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1222,11 +1289,13 @@ GP Info:
**UserRights/ProfileSingleProcess**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1261,11 +1330,13 @@ GP Info:
**UserRights/RemoteShutdown**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1300,11 +1371,13 @@ GP Info:
**UserRights/RestoreFilesAndDirectories**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1323,6 +1396,7 @@ GP Info:
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and it determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Write.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, assign this user right to trusted users only.
@@ -1341,11 +1415,13 @@ GP Info:
**UserRights/TakeOwnership**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1364,6 +1440,7 @@ GP Info:
This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
+
> [!CAUTION]
> Assigning this user right can be a security risk. Since owners of objects have full control of them, assign this user right to trusted users only.
@@ -1378,3 +1455,7 @@ GP Info:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
index 2ca5d714a9..4d39b65348 100644
--- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
+++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
@@ -28,18 +28,19 @@ manager: dansimp
-
**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -57,7 +58,7 @@ manager: dansimp
-Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
+Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
>[!NOTE]
>After the policy is pushed, a system reboot will be required to change the state of HVCI.
@@ -66,9 +67,9 @@ Allows the IT admin to control the state of Hypervisor-protected Code Integrity
The following are the supported values:
-- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock
-- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock
-- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock
+- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock.
+- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.
+- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock.
@@ -84,11 +85,13 @@ The following are the supported values:
**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -106,7 +109,7 @@ The following are the supported values:
-Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
+Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
>[!NOTE]
>After the policy is pushed, a system reboot will be required to change the state of HVCI.
@@ -116,8 +119,8 @@ Allows the IT admin to control the state of Hypervisor-protected Code Integrity
The following are the supported values:
-- 0: (Disabled) Do not require UEFI Memory Attributes Table
-- 1: (Enabled) Require UEFI Memory Attributes Table
+- 0: (Disabled) Do not require UEFI Memory Attributes Table.
+- 1: (Enabled) Require UEFI Memory Attributes Table.
@@ -131,3 +134,6 @@ The following are the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 0f2a4df17d..5306104d5c 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -69,6 +69,7 @@ This policy has been deprecated.
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -119,6 +120,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -169,6 +171,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -214,6 +217,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -256,6 +260,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -296,6 +301,7 @@ The following list shows the supported values:
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md
index 1dc3fde74d..5f934b05bd 100644
--- a/windows/client-management/mdm/policy-csp-windowsautopilot.md
+++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md
@@ -39,6 +39,7 @@ manager: dansimp
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -72,3 +73,6 @@ This policy enables Windows Autopilot to be kept up-to-date during the out-of-bo
+
+## Related topics
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index dd72a9ae8b..efce371108 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - WindowsConnectionManager
-
-
@@ -34,11 +32,13 @@ manager: dansimp
**WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -60,23 +60,25 @@ This policy setting prevents computers from connecting to both a domain-based ne
If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:
-Automatic connection attempts
+Automatic connection attempts:
+
- When the computer is already connected to a domain-based network, all automatic connection attempts to non-domain networks are blocked.
- When the computer is already connected to a non-domain-based network, automatic connection attempts to domain-based networks are blocked.
-Manual connection attempts
-- When the computer is already connected to either a non-domain-based network or a domain-based network over media other than Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.
-- When the computer is already connected to either a non-domain-based network or a domain-based network over Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.
+Manual connection attempts:
+
+- When the computer is already connected to either a non-domain-based network or a domain-based network over media other than Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, then an existing network connection is disconnected and the manual connection is allowed.
+- When the computer is already connected to either a non-domain-based network or a domain-based network over Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, then an existing Ethernet connection is maintained and the manual connection attempt is blocked.
If this policy setting isn't configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
@@ -89,6 +91,8 @@ ADMX Info:
-
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index f7a519d956..665a0824e5 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -14,10 +14,10 @@ manager: dansimp
# Policy CSP - WindowsDefenderSecurityCenter
-
+
## WindowsDefenderSecurityCenter policies
@@ -89,18 +89,19 @@ manager: dansimp
-
**WindowsDefenderSecurityCenter/CompanyName**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -120,10 +121,12 @@ manager: dansimp
The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display the contact options.
-Value type is string. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is string.
+- Supported operations are Add, Get, Replace and Delete.
+
ADMX Info:
- GP Friendly name: *Specify contact company name*
- GP name: *EnterpriseCustomization_CompanyName*
@@ -140,11 +143,13 @@ ADMX Info:
**WindowsDefenderSecurityCenter/DisableAccountProtectionUI**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -188,11 +193,13 @@ Valid values:
**WindowsDefenderSecurityCenter/DisableAppBrowserUI**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -212,7 +219,8 @@ Valid values:
Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-Value type is integer. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace and Delete.
@@ -238,11 +246,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/DisableClearTpmButton**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -262,14 +272,9 @@ The following list shows the supported values:
Disable the Clear TPM button in Windows Security.
-Enabled:
-The Clear TPM button will be unavailable for use.
-
-Disabled:
-The Clear TPM button will be available for use on supported systems.
-
-Not configured:
-Same as Disabled.
+- Enabled: The Clear TPM button will be unavailable for use.
+- Disabled: The Clear TPM button will be available for use on supported systems.
+- Not configured: Same as Disabled.
Supported values:
@@ -302,11 +307,13 @@ ADMX Info:
**WindowsDefenderSecurityCenter/DisableDeviceSecurityUI**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -350,11 +357,13 @@ Valid values:
**WindowsDefenderSecurityCenter/DisableEnhancedNotifications**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -377,7 +386,8 @@ Use this policy if you want Windows Defender Security Center to only display not
> [!NOTE]
> If Suppress notification is enabled then users won't see critical or non-critical messages.
-Value type is integer. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace and Delete.
@@ -403,11 +413,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/DisableFamilyUI**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -427,7 +439,8 @@ The following list shows the supported values:
Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-Value type is integer. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace and Delete.
@@ -453,11 +466,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/DisableHealthUI**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -477,7 +492,8 @@ The following list shows the supported values:
Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-Value type is integer. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace and Delete.
@@ -503,11 +519,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/DisableNetworkUI**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -527,7 +545,8 @@ The following list shows the supported values:
Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-Value type is integer. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace and Delete.
@@ -553,11 +572,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/DisableNotifications**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -577,7 +598,8 @@ The following list shows the supported values:
Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or don't configure this setting, Windows Defender Security Center notifications will display on devices.
-Value type is integer. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace and Delete.
@@ -603,11 +625,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -627,14 +651,9 @@ The following list shows the supported values:
Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected.
-Enabled:
-Users won't be shown a recommendation to update their TPM Firmware.
-
-Disabled:
-Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware.
-
-Not configured:
-Same as Disabled.
+- Enabled: Users won't be shown a recommendation to update their TPM Firmware.
+- Disabled: Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware.
+- Not configured: Same as Disabled.
Supported values:
@@ -667,11 +686,13 @@ ADMX Info:
**WindowsDefenderSecurityCenter/DisableVirusUI**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -691,7 +712,8 @@ ADMX Info:
Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-Value type is integer. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace and Delete.
@@ -717,11 +739,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -741,7 +765,8 @@ The following list shows the supported values:
Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or don't configure this setting, local users can make changes in the exploit protection settings area.
-Value type is integer. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace and Delete.
@@ -767,11 +792,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/Email**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -789,9 +816,10 @@ The following list shows the supported values:
-The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options.
+The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options.
-Value type is string. Supported operations are Add, Get, Replace and Delete.
+- Supported value type is string.
+- Supported operations are Add, Get, Replace and Delete.
@@ -811,11 +839,13 @@ ADMX Info:
**WindowsDefenderSecurityCenter/EnableCustomizedToasts**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -835,7 +865,8 @@ ADMX Info:
Enable this policy to display your company name and contact options in the notifications. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+- Supported value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -861,11 +892,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/EnableInAppCustomization**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -885,7 +918,8 @@ The following list shows the supported values:
Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center won't display the contact card fly out notification.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+- Support value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -911,11 +945,13 @@ The following list shows the supported values:
**WindowsDefenderSecurityCenter/HideRansomwareDataRecovery**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -959,11 +995,13 @@ Valid values:
**WindowsDefenderSecurityCenter/HideSecureBoot**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1007,11 +1045,13 @@ Valid values:
**WindowsDefenderSecurityCenter/HideTPMTroubleshooting**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1055,11 +1095,13 @@ Valid values:
**WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1081,14 +1123,9 @@ This policy setting hides the Windows Security notification area control.
The user needs to either sign out and sign in or reboot the computer for this setting to take effect.
-Enabled:
-Windows Security notification area control will be hidden.
-
-Disabled:
-Windows Security notification area control will be shown.
-
-Not configured:
-Same as Disabled.
+- Enabled: Windows Security notification area control will be hidden.
+- Disabled: Windows Security notification area control will be shown.
+- Not configured: Same as Disabled.
Supported values:
@@ -1121,11 +1158,13 @@ ADMX Info:
**WindowsDefenderSecurityCenter/Phone**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1143,9 +1182,10 @@ ADMX Info:
-The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options.
+The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+- Supported value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -1165,11 +1205,13 @@ ADMX Info:
**WindowsDefenderSecurityCenter/URL**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -1189,7 +1231,8 @@ ADMX Info:
The help portal URL that is displayed to users. The default browser is used to initiate this action. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device won't display contact options.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+- Supported value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
@@ -1205,3 +1248,7 @@ ADMX Info:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index 6daf010d04..b6cd4ac1ab 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - WindowsInkWorkspace
-
@@ -29,18 +28,19 @@ manager: dansimp
-
**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -84,11 +84,13 @@ The following list shows the supported values:
**WindowsInkWorkspace/AllowWindowsInkWorkspace**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -119,7 +121,7 @@ ADMX Info:
-Value type is int. The following list shows the supported values:
+Supported value type is int. The following list shows the supported values:
- 0 - access to ink workspace is disabled. The feature is turned off.
- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
@@ -131,3 +133,6 @@ Value type is int. The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 4998d7eaf9..4951a14248 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - WindowsLogon
-
-
@@ -52,18 +50,19 @@ manager: dansimp
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
**WindowsLogon/AllowAutomaticRestartSignOn**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -120,11 +119,13 @@ ADMX Info:
**WindowsLogon/ConfigAutomaticRestartSignOn**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -181,11 +182,13 @@ ADMX Info:
**WindowsLogon/DisableLockScreenAppNotifications**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -227,11 +230,13 @@ ADMX Info:
**WindowsLogon/DontDisplayNetworkSelectionUI**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -298,11 +303,13 @@ ADMX Info:
**WindowsLogon/EnableFirstLogonAnimation**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -359,11 +366,13 @@ Supported values:
**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -405,11 +414,13 @@ ADMX Info:
**WindowsLogon/HideFastUserSwitching**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -457,3 +468,6 @@ To validate on Desktop, do the following steps:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index 13e24a3f5d..2aa49f3cfb 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - WindowsPowerShell
-
-
@@ -34,11 +32,13 @@ manager: dansimp
**WindowsPowerShell/TurnOnPowerShellScriptBlockLogging**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -57,19 +57,18 @@ manager: dansimp
-This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting,
-Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
+This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
If you disable this policy setting, logging of PowerShell script input is disabled.
-If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script
-starts or stops. Enabling Invocation Logging generates a high volume of event logs.
+If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs.
-Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
+> [!NOTE]
+> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
@@ -86,6 +85,8 @@ ADMX Info:
-
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index 02edfd6f6e..8a946c0358 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -39,7 +39,6 @@ ms.date: 10/14/2020
-
@@ -48,11 +47,13 @@ ms.date: 10/14/2020
Available in the latest Windows 10 insider preview build.
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -118,11 +119,13 @@ The following are the supported values:
Available in the latest Windows 10 insider preview build.
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -142,7 +145,7 @@ Available in the latest Windows 10 insider preview build.
This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox.
-If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled.
+If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled).
If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file.
@@ -185,11 +188,13 @@ The following are the supported values:
Available in the latest Windows 10 insider preview build.
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -250,11 +255,13 @@ The following are the supported values:
Available in the latest Windows 10 insider preview build.
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -272,7 +279,7 @@ Available in the latest Windows 10 insider preview build.
-This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox.
+This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox.
If this policy isn't configured, end-users get the default behavior (printer sharing disabled).
@@ -316,11 +323,13 @@ The following are the supported values:
Available in the latest Windows 10 insider preview build.
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -385,11 +394,13 @@ The following are the supported values:
Available in the latest Windows 10 insider preview build.
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -448,3 +459,7 @@ The following are the supported values:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index ac5e6d69fd..54953f93ee 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -56,11 +56,13 @@ manager: dansimp
**WirelessDisplay/AllowMdnsAdvertisement**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -96,11 +98,13 @@ The following list shows the supported values:
**WirelessDisplay/AllowMdnsDiscovery**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -136,11 +140,13 @@ The following list shows the supported values:
**WirelessDisplay/AllowMovementDetectionOnInfrastructure**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -183,11 +189,13 @@ The following list shows the supported values:
**WirelessDisplay/AllowProjectionFromPC**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -223,11 +231,13 @@ The following list shows the supported values:
**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -263,11 +273,13 @@ The following list shows the supported values:
**WirelessDisplay/AllowProjectionToPC**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -289,7 +301,7 @@ Allow or disallow turning off the projection to a PC.
If you set it to 0 (zero), your PC isn't discoverable and you can't project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-Value type is integer.
+Supported value type is integer.
@@ -315,11 +327,13 @@ The following list shows the supported values:
**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -355,11 +369,13 @@ The following list shows the supported values:
**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -395,11 +411,13 @@ The following list shows the supported values:
**WirelessDisplay/RequirePinForPairing**
+The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
+|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
@@ -421,7 +439,7 @@ Allow or disallow requirement for a PIN for pairing.
If you turn on this policy, the pairing ceremony for new devices will always require a PIN. If you turn off this policy or don't configure it, a PIN isn't required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-Value type is integer.
+Supported value type is integer.
@@ -444,3 +462,7 @@ The following list shows the supported values:
+CSP Article:
+
+## Related topics
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md
deleted file mode 100644
index ecef629054..0000000000
--- a/windows/client-management/mdm/policymanager-csp.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: PolicyManager CSP
-description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP.
-ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/28/2017
----
-
-# PolicyManager CSP
-
-PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
-
-
-
-## Related articles
-
-[Policy CSP](policy-configuration-service-provider.md)
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md
index 6e19fc3072..90ae19604d 100644
--- a/windows/client-management/mdm/provisioning-csp.md
+++ b/windows/client-management/mdm/provisioning-csp.md
@@ -14,6 +14,16 @@ ms.date: 06/26/2017
# Provisioning CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The Provisioning configuration service provider is used for bulk user enrollment to an MDM service.
diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md
deleted file mode 100644
index 33a8847c7f..0000000000
--- a/windows/client-management/mdm/proxy-csp.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-title: PROXY CSP
-description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections.
-ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/26/2017
----
-
-# PROXY CSP
-
-
-The PROXY configuration service provider is used to configure proxy connections.
-
-> [!NOTE]
-> Use [CM\_ProxyEntries CSP](cm-proxyentries-csp.md) instead of PROXY CSP, which will be deprecated in a future release.
-
-This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
-For the PROXY CSP, you can't use the Replace command unless the node already exists.
-
-The following example shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
-
-```
-./Vendor/MSFT/Proxy
-----*
---------ProxyId
---------Name
---------AddrType
---------Addr
---------AddrFQDN
---------ConRefs
-------------*
-----------------ConRef
---------Domains
-------------*
-----------------DomainName
---------Ports
-------------*
-----------------PortNbr
-----------------Services
---------------------*
-------------------------ServiceName
---------ProxyType
---------ProxyParams
-------------WAP
-----------------Trust
-----------------PushEnabled
---------Ext
-------------Microsoft
-----------------Guid
-```
-
-**./Vendor/MSFT/Proxy**
-Root node for the proxy connection.
-
-***ProxyName***
-Defines the name of a proxy connection.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two proxy connections, use "PROXY0" and "PROXY1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
-
-The addition, update, and deletion of this subtree of nodes have to be specified in a single atomic transaction.
-
-***ProxyName*/PROXYID**
-Specifies the unique identifier of the proxy connection.
-
-***ProxyName*/NAME**
-Specifies the user-friendly name of the proxy connection.
-
-***ProxyName*/ADDR**
-Specifies the address of the proxy server.
-
-This value may be the network name of the server, or any other string (such as an IP address) used to uniquely identify the proxy connection.
-
-***ProxyName*/ADDRTYPE**
-Specifies the type of address used to identify the proxy server.
-
-The valid values are IPV4, IPV6, E164, ALPHA.
-
-***ProxyName*/PROXYTYPE**
-Specifies the type of proxy connection.
-
-Depending on the ProxyID, the valid values are ISA, WAP, SOCKS, or NULL.
-
-***ProxyName*/Ports**
-Node for port information.
-
-***ProxyName*/Ports/_PortName_**
-Defines the name of a port.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names.
-
-***ProxyName*/Ports/*PortName*/PortNbr**
-Specifies the port number to be associated with the parent port.
-
-***ProxyName*/Ports/*PortName*/Services**
-Node for services information.
-
-***ProxyName*/Ports/Services/_ServiceName_**
-Defines the name of a service.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names.
-
-***ProxyName*/Ports/Services/*ServiceName*/ServiceName**
-Specifies the protocol to be associated with the parent port.
-
-One commonly used value is "HTTP".
-
-***ProxyName*/ConRefs**
-Node for connection reference information
-
-***ProxyName*/ConRefs/_ConRefName_**
-Defines the name of a connection reference.
-
-It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names.
-
-***ProxyName*/ConRefs/*ConRefName*/ConRef**
-Specifies one single connectivity object associated with the proxy connection.
-
-## Related topics
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index cc8752d76b..6401374804 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -14,7 +14,6 @@ ms.date: 06/26/2017
# PXLOGICAL configuration service provider
-
The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
> [!NOTE]
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index 95d4d915de..809e9c49fa 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -14,10 +14,21 @@ ms.date: 06/26/2017
# Reboot CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The Reboot configuration service provider is used to configure reboot settings.
The following shows the Reboot configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+
```
./Device/Vendor/MSFT
Reboot
@@ -26,41 +37,44 @@ Reboot
--------Single
--------DailyRecurrent
```
-**./Vendor/MSFT/Reboot**
-
The root node for the Reboot configuration service provider.
-
The supported operation is Get.
+**./Vendor/MSFT/Reboot**
+
+The root node for the Reboot configuration service provider.
+
+The supported operation is Get.
**RebootNow**
-
This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.
+
+This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.
> [!NOTE]
> If this node is set to execute during a sync session, the device will reboot at the end of the sync session.
-
The supported operations are Execute and Get.
+The supported operations are Execute and Get.
**Schedule**
-
The supported operation is Get.
+
+The supported operation is Get.
**Schedule/Single**
-
This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
-Example to configure: 2018-10-25T18:00:00
+
+This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
+Example to configure: 2018-10-25T18:00:00
Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00.
-
The supported operations are Get, Add, Replace, and Delete.
-
-
The supported data type is "String".
+- The supported operations are Get, Add, Replace, and Delete.
+- The supported data type is "String".
**Schedule/DailyRecurrent**
-
This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
-Example to configure: 2018-10-25T18:00:00
-
The supported operations are Get, Add, Replace, and Delete.
+This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
+Example to configure: 2018-10-25T18:00:00
-
The supported data type is "String".
+- The supported operations are Get, Add, Replace, and Delete.
+- The supported data type is "String".
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index aa6d711c71..186190cbec 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# Reboot DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **Reboot** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -147,8 +146,7 @@ The XML below is the current version for this CSP.
## Related topics
-
-[Reboot configuration service provider](reboot-csp.md)
+[Reboot CSP](reboot-csp.md)
diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md
index 51ce1f0fd5..3e3b8ff7a0 100644
--- a/windows/client-management/mdm/remotefind-csp.md
+++ b/windows/client-management/mdm/remotefind-csp.md
@@ -14,6 +14,16 @@ ms.date: 06/26/2017
# RemoteFind CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The RemoteFind configuration service provider retrieves the location information for a particular device.
@@ -37,21 +47,24 @@ Optional. The node accepts the requested radius value in meters. Valid values fo
The default value is 50. Replacing this value only replaces it for the current session. The value isn't retained.
-Supported operations are Replace and Get. The Add command isn't supported.
+- Supported operations are Replace and Get.
+- The Add command isn't supported.
**Timeout**
Optional. Value is DWORD in seconds.
The default value is 7, and the range is 0 to 1800 seconds. Replacing this value only replaces it for the current session. The value isn't retained.
-Supported operations are Replace and Get. The Add command isn't supported.
+- Supported operations are Replace and Get.
+- The Add command isn't supported.
**MaximumAge**
Optional. The value represents the desired time window in minutes that the server will accept a successful location retrieval. The node enables the server to set the requested age value in 100 nanoseconds. Valid values for accuracy include any integer value between 0 and 1440 minutes.
The default value is 60. Replacing this value only replaces it for the current session. The value isn't retained.
-Supported operations are Replace and Get. The Add command isn't supported.
+- Supported operations are Replace and Get.
+- The Add command isn't supported.
**Location**
Required. Nodes under this path must be queried atomically in order to succeed. This condition is to prevent servers from querying incomplete sets of data.
@@ -102,7 +115,7 @@ The default value is 0.
Supported operation is Get.
**Age**
-Required. Provides the age in 100 nanoseconds for current location data.
+Required. Provides the age in 100 nanoseconds for the current location data.
The value returned is an integer.
@@ -176,15 +189,4 @@ Supported operation is Get.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md
index e6b61e9477..3886bb405d 100644
--- a/windows/client-management/mdm/remotefind-ddf-file.md
+++ b/windows/client-management/mdm/remotefind-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# RemoteFind DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **RemoteFind** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -298,7 +297,9 @@ The XML below is the current version for this CSP.
```
-
+## Related topics
+
+[RemoteFind CSP](remotefind-csp.md)
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
deleted file mode 100644
index 548923b5fe..0000000000
--- a/windows/client-management/mdm/remotering-csp.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: RemoteRing CSP
-description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device.
-ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 06/26/2017
----
-
-# RemoteRing CSP
-
-
-You can use the RemoteRing configuration service provider to remotely trigger a device to produce an audible ringing sound, regardless of the volume that is set on the device.
-
-The following DDF format shows the RemoteRing configuration service provider in tree format.
-```
-./User/Vendor/MSFT
-RemoteRing
-----Ring
-
-
-./Device/Vendor/MSFT
-Root
-
-
-./User/Vendor/MSFT
-./Device/Vendor/MSFT
-RemoteRing
-----Ring
-```
-**Ring**
-Required. The node accepts requests to ring the device.
-
-The supported operation is Exec.
-
-## Examples
-
-
-The following sample shows how to initiate a remote ring on the device.
-
-```xml
-
- 5
-
-
- ./Vendor/MSFT/RemoteRing/Ring
-
-
-
-```
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/remotering-ddf-file.md b/windows/client-management/mdm/remotering-ddf-file.md
deleted file mode 100644
index 763d8b6a90..0000000000
--- a/windows/client-management/mdm/remotering-ddf-file.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: RemoteRing DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the RemoteRing configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.assetid: 6815267F-212B-4370-8B72-A457E8000F7B
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: dansimp
-ms.date: 12/05/2017
----
-
-# RemoteRing DDF file
-
-
-This topic shows the OMA DM device description framework (DDF) for the **RemoteRing** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-
-The XML below is the current version for this CSP.
-
-```xml
-
-]>
-
- 1.2
-
- RemoteRing
- ./User/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Ring
-
-
-
-
- Required. The node accepts requests to ring the device. The supported operation is Exec
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Root
- ./Device/Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 1ff78fcccf..892812a101 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -14,6 +14,16 @@ ms.date: 08/13/2018
# RemoteWipe CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
@@ -40,10 +50,10 @@ Supported operation is Exec.
**doWipePersistProvisionedData**
Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed.
-Supported operation is Exec.
-
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
+Supported operation is Exec.
+
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
**doWipeProtected**
@@ -54,7 +64,7 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which
Supported operation is Exec.
**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
@@ -71,7 +81,7 @@ Added in Windows 10, version 1809. Status value indicating current state of an A
Supported values:
- 0: Never run (not started). The default state.
-- 1: Complete.
+- 1: Complete.
- 10: Reset has been scheduled.
- 20: Reset is scheduled and waiting for a reboot.
- 30: Failed during CSP Execute ("Exec" in SyncML).
@@ -80,7 +90,6 @@ Supported values:
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index b423d893d9..f7982ce49b 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 08/13/2018
# RemoteWipe DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **RemoteWipe** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -109,7 +108,7 @@ The XML below is the DDF for Windows 10, version 1809.
text/plain
- Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command.
+ Exec on this node will perform a remote wipe on the device, and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command.
@@ -221,3 +220,7 @@ The XML below is the DDF for Windows 10, version 1809.
```
+
+## Related topics
+
+[RemoteWipe CSP](remotewipe-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md
index 3167a33adc..7748b792e0 100644
--- a/windows/client-management/mdm/reporting-csp.md
+++ b/windows/client-management/mdm/reporting-csp.md
@@ -14,6 +14,16 @@ ms.date: 06/26/2017
# Reporting CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. This CSP was added in Windows 10, version 1511.
@@ -36,7 +46,7 @@ Reporting
```
**Reporting**
-Root node.
+The root node for the reporting configuration service provider.
**Reporting/EnterpriseDataProtection**
Interior node for retrieving the Windows Information Protection (formerly known as Enterprise Data Protection) logs.
@@ -62,37 +72,32 @@ Interior node for retrieving a specified number of logs from the StartTime. The
**Logs**
Contains the reporting logs.
-Value type is XML.
-
-Supported operation is Get.
+- Value type is XML.
+- Supported operation is Get.
**StartTime**
Specifies the starting time for retrieving logs.
-Value type is string. Use ISO 8601 format.
-
-Supported operations are Get and Replace.
+- Value type is string. Use ISO 8601 format.
+- Supported operations are Get and Replace.
**StopTime**
Specifies the ending time for retrieving logs.
-Value type is string. Use ISO 8601 format.
-
-Supported operations are Get and Replace.
+- Value type is string. Use ISO 8601 format.
+- Supported operations are Get and Replace.
**Type**
-Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the WIP learning logs.
+Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the Windows Information Protection learning logs.
-Value type is integer.
-
-Supported operations are Get and Replace.
+- Value type is integer.
+- Supported operations are Get and Replace.
**LogCount**
Specifies the number of logs to retrieve from the StartTime.
-Value type is int.
-
-Supported operations are Get and Replace.
+- Value type is int.
+- Supported operations are Get and Replace.
## Example
@@ -170,4 +175,8 @@ Retrieve a specified number of security auditing logs starting from the specifie
```
--->
\ No newline at end of file
+-->
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md
index d5d716e6bb..74600efb89 100644
--- a/windows/client-management/mdm/reporting-ddf-file.md
+++ b/windows/client-management/mdm/reporting-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# Reporting DDF file
-
This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -73,7 +72,7 @@ The XML below is the current version for the desktop CSP.
- A time range is supported by setting a start and stop time in ISO 8601 format. If the start/stop value is not preset and a GetValue is called to RetrieveByTimeRange then the missing values will be interpreted as either the first existing or the last existing. For example, not setting a start date and setting an end date will return all known logs that exist before the end date. Setting a start date but not an end date will return all the logs that exist from the start date. Not setting a start and end date will return all logs.
+ A time range is supported by setting a start and stop time in ISO 8601 format. If the start/stop value is not preset and a GetValue is called to RetrieveByTimeRange, then the missing values will be interpreted as either the first existing or the last existing. For example, not setting a start date, and setting an end date will return all known logs that exist before the end date. Setting a start date but not an end date will return all the logs that exist from the start date. Not setting a start and end date will return all logs.
@@ -159,7 +158,7 @@ The XML below is the current version for the desktop CSP.
0
- Specifies the type of logs to retrieve
+ Specifies the type of logs to retrieve.
@@ -181,7 +180,7 @@ The XML below is the current version for the desktop CSP.
- The count range will return the configured number of logs starting from the StartTime value. The start time is expressed in ISO8601 formt. The caller will configure the number of desired logs by calling set on the LogCount and StartTime, then retrieve the logs by calling get on Logs node. The call will return the number of desired logs or less if the total number of logs are less than the desired number of logs. The logs are returned from StartTime forward.
+ The count range will return the configured number of logs starting from the StartTime value. The start time is expressed in ISO8601 format. The caller will configure the number of desired logs by calling set on the LogCount and StartTime, and then retrieve the logs by calling get on Logs node. The call will return the number of desired logs or less, if the total number of logs are less than the desired number of logs. The logs are returned from StartTime forward.
@@ -266,7 +265,7 @@ The XML below is the current version for the desktop CSP.
0
- Specifies the type of logs to retrieve
+ Specifies the type of logs to retrieve.
@@ -286,13 +285,8 @@ The XML below is the current version for the desktop CSP.
```
-
+## Related topics
-
-
-
-
-
-
-
+[Reporting CSP](reporting-csp.md)
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 3b298a1606..e4a1e8600c 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -14,13 +14,22 @@ ms.date: 03/06/2018
# RootCATrustedCertificates CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates.
> [!Note]
> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**.
-
The following example shows the RootCATrustedCertificates configuration service provider in tree format.
Detailed specification of the principal root nodes:
@@ -61,13 +70,13 @@ RootCATrustedCertificates
------------TemplateName
```
**Device or User**
-For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path.
+For device certificates, use **./Device/Vendor/MSFT** path, and for user certificates use **./User/Vendor/MSFT** path.
**RootCATrustedCertificates**
The root node for the RootCATrustedCertificates configuration service provider.
**RootCATrustedCertificates/Root/**
-Defines the certificate store that contains root, or self-signed certificates, in this case, the computer store.
+Defines the certificate store that contains root or self-signed certificates, in this case, the computer store.
> [!Note]
> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**.
@@ -89,34 +98,24 @@ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certifi
The following nodes are all common to the **_CertHash_** node:
-**/EncodedCertificate**
-Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace.
+- **/EncodedCertificate**
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace.
-**/IssuedBy**
+- **/IssuedBy**
Returns the name of the certificate issuer. This name is equivalent to the **Issuer** member in the CERT\_INFO data structure. The only supported operation is Get.
-**/IssuedTo**
+- **/IssuedTo**
Returns the name of the certificate subject. This name is equivalent to the **Subject** member in the CERT\_INFO data structure. The only supported operation is Get.
-**/ValidFrom**
+- **/ValidFrom**
Returns the starting date of the certificate's validity. This date is equivalent to the **NotBefore** member in the CERT\_INFO data structure. The only supported operation is Get.
-**/ValidTo**
+- **/ValidTo**
Returns the expiration date of the certificate. This date is equivalent to the **NotAfter** member in the CERT\_INFO data structure. The only supported operation is Get.
-**/TemplateName**
+- **/TemplateName**
Returns the certificate template name. The only supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index 78f3e0b69e..6d3114481c 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 03/07/2018
# RootCATrustedCertificates DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -77,7 +76,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -127,7 +126,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -199,7 +198,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -272,7 +271,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -319,7 +318,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -382,7 +381,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -449,7 +448,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -499,7 +498,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -571,7 +570,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -644,7 +643,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -694,7 +693,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -766,7 +765,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -839,7 +838,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -889,7 +888,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -961,7 +960,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -1055,7 +1054,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -1105,7 +1104,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -1177,7 +1176,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -1250,7 +1249,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -1297,7 +1296,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -1360,7 +1359,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -1427,7 +1426,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -1477,7 +1476,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -1549,7 +1548,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -1622,7 +1621,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -1672,7 +1671,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -1744,7 +1743,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -1817,7 +1816,7 @@ The XML below is for Windows 10, version 1803.
- Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value
+ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
@@ -1867,7 +1866,7 @@ The XML below is for Windows 10, version 1803.
- Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
+ Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure.
@@ -1939,7 +1938,7 @@ The XML below is for Windows 10, version 1803.
- Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure
+ Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure.
@@ -1986,3 +1985,7 @@ The XML below is for Windows 10, version 1803.
```
+
+## Related topics
+
+[RootCATrustedCertificates CSP](rootcacertificates-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index bdc2932777..06af135189 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -14,6 +14,17 @@ ms.date: 06/26/2017
# SecureAssessment CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The SecureAssessment configuration service provider is used to provide configuration information for the secure assessment browser.
The following example shows the SecureAssessment configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
@@ -29,7 +40,7 @@ The root node for the SecureAssessment configuration service provider.
The supported operation is Get.
**LaunchURI**
-URI Link to an assessment that's automatically loaded when the secure assessment browser is launched.
+URI link to an assessment that's automatically loaded when the secure assessment browser is launched.
The supported operations are Add, Delete, Get, and Replace.
diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md
index 76fa3dcb8b..4aff84bd1d 100644
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@@ -184,12 +184,6 @@ The XML below is the current version for this CSP.
```
-
-
-
-
-
-
-
-
+## Related topics
+[SecureAssessment CSP](secureassessment-csp.md)
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 5664077e3e..12c12195b2 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -14,15 +14,23 @@ ms.date: 06/26/2017
# SecurityPolicy CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The SecurityPolicy configuration service provider is used to configure security policy settings for WAP push, OMA Client Provisioning, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_SECURITY\_POLICIES capabilities to be accessed from a network configuration application.
-
-
-For the SecurityPolicy CSP, you can't use the Replace command unless the node already exists.
+For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists.
The following example shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
@@ -112,7 +120,6 @@ The following security policies are supported.
## Remarks
-
Security roles allow or restrict access to device resources. The security role is based on the message origin and how the message is signed. You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE\_KNOWN\_PPG and SECROLE\_OPERATOR\_TPS roles, use the decimal value 384 (256+128).
The following security roles are supported.
@@ -123,11 +130,8 @@ The following security roles are supported.
|SECROLE_KNOWN_PPG|256|Known Push Proxy Gateway. Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway.|
|SECROLE_ANY_PUSH_SOURCE|4096|Push Router. Messages received by the push router will be assigned to this role.|
-
-
## OMA Client Provisioning examples
-
Setting a security policy:
```xml
@@ -150,7 +154,6 @@ Querying a security policy:
## OMA DM examples
-
Setting a security policy:
```xml
@@ -195,7 +198,6 @@ Querying a security policy:
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this Configuration Service Provider supports for OMA Client Provisioning.
|Elements|Available|
@@ -203,9 +205,6 @@ The following table shows the Microsoft custom elements that this Configuration
|parm-query|Yes|
|noparm|Yes. If this element is used, then the policy is set to 0 by default (corresponding to the most restrictive of policy values).|
-
-
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index 7f8d360143..567c6f4989 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -14,6 +14,16 @@ ms.date: 01/16/2019
# SharedPC CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The SharedPC configuration service provider is used to configure settings for Shared PC usage.
@@ -57,7 +67,9 @@ A boolean value that specifies whether the policies for education environment ar
The supported operations are Add, Get, Replace, and Delete.
-The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
+The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
+
+In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
**SetPowerPolicies**
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
@@ -140,9 +152,9 @@ For Windows 10, version 1607, here's the list shows the supported values:
For Windows 10, version 1703, here's the list of supported values:
-- 0 - Delete immediately
-- 1 - Delete at disk space threshold
-- 2 - Delete at disk space threshold and inactive threshold
+- 0 - Delete immediately.
+- 1 - Delete at disk space threshold.
+- 2 - Delete at disk space threshold and inactive threshold.
The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
@@ -181,7 +193,8 @@ The default value is Not Configured and behavior is no such restriction applied.
**KioskModeAUMID**
Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+- Value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@@ -197,7 +210,9 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
**InactiveThreshold**
Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
-The default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+- The default value is Not Configured.
+- Value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 30.
@@ -207,21 +222,12 @@ Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applie
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+- Default value is Not Configured.
+- Value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 1024.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index 362f24ac59..81facaf312 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# SharedPC DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **SharedPC** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -176,7 +175,7 @@ The XML below is the DDF for Windows 10, version 1703.
300
- The amount of time before the PC sleeps, giving in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.
+ The amount of time before the PC sleeps, given in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken.
@@ -436,7 +435,6 @@ The XML below is the DDF for Windows 10, version 1703.
## Related topics
-
[SharedPC configuration service provider](sharedpc-csp.md)
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 61cb297fdf..6e89265fcb 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -14,6 +14,17 @@ ms.date: 09/12/2019
# SUPL CSP
+The SUPL configuration service provider is used to configure the location client, as shown in the following:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The SUPL configuration service provider is used to configure the location client, as shown in the following table:
- **Location Service**: Connection type
@@ -32,7 +43,7 @@ The SUPL configuration service provider is used to configure the location client
- Address of the server—a mobile positioning center for non-trusted mode.
- The positioning method used by the MPC for non-trusted mode.
-The SUPL or V2 UPL connection will be reconfigured every time the device is rebooted, a new UICC is inserted, or new settings are provisioned by using OMA Client Provisioning, OMA DM, or test tools. When the device is in roaming mode, it reverts to Mobile Station Standalone mode, in which only the built–in Microsoft location components are used.
+The SUPL or V2 UPL connection will be reconfigured every time the device is rebooted. A new UICC is inserted, or new settings are provisioned by using OMA Client Provisioning, OMA DM, or test tools. When the device is in roaming mode, it reverts to Mobile Station Standalone mode, in which only the built–in Microsoft location components are used.
The following example shows the SUPL configuration service provider management object in tree format as used by OMA DM and OMA Client Provisioning.
@@ -83,7 +94,7 @@ Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) serve
If this value isn't specified, the device infers the H-SLP address from the IMSI as defined in the SUPL standard. To use automatic generation of the H-SLP address based on the IMSI, the MNC length must be set correctly on the UICC. Generally, this value is 2 or 3.
-For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned. But the configuration service provider will continue processing the rest of the parameters.
**Version**
Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator.
@@ -94,9 +105,9 @@ Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z
**MCCMNCPairs**
Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL.
-This value is a string with the format "(X1, Y1)(X2, Y2)…(Xn, Yn)", in which `X` is an MCC and `Y` is an MNC.
+This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC.
-For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
**HighAccPositioningMethod**
Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers:
@@ -110,16 +121,12 @@ Optional. Specifies the positioning method that the SUPL client will use for mob
|4|OTDOA|
|5|AFLT|
-
-
The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services.
> [!IMPORTANT]
> The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes.
-
-
-For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
**LocMasterSwitchDependencyNII**
Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1.
@@ -133,7 +140,6 @@ This value manages the settings for both SUPL and v2 UPL. If a device is configu
|Off|0|Yes|
|Off|1|No (unless privacyOverride is set)|
-
When the location toggle is set to Off and this value is set to 1, the following application requests will fail:
- `noNotificationNoVerification`
@@ -148,12 +154,12 @@ However, if `privacyOverride` is set in the message, the location will be return
When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working.
-For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
**NIDefaultTimeout**
-Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
+Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
-This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used.
+This value manages the settings for SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
**ServerAccessInterval**
Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60.
@@ -216,10 +222,10 @@ Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root ce
Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time.
**MPC**
-Optional. The address of the mobile positioning center (MPC), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty.
+Optional. Specifies the address of the mobile positioning center (MPC), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty.
**PDE**
-Optional. The address of the Position Determination Entity (PDE), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter must be empty.
+Optional. Specifies the address of the Position Determination Entity (PDE), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter must be empty.
**PositioningMethod\_MR**
Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers:
@@ -238,13 +244,12 @@ The default is 0. The default method provides high-quality assisted GNSS positio
> The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes.
-
-For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
**LocMasterSwitchDependencyNII**
Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA devices, this value must be set to 1. The default value is 1.
-This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used.
+This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
|Location toggle setting|LocMasterSwitchDependencyNII setting|NI request processing allowed|
|--- |--- |--- |
@@ -267,22 +272,21 @@ However, if `privacyOverride` is set in the message, the location will be return
When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working.
-For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
+For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
**ApplicationTypeIndicator\_MR**
Required. This value must always be set to `00000011`.
**NIDefaultTimeout**
-Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
+Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
-This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used.
+This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
**ServerAccessInterval**
Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60.
## Unsupported Nodes
-
The following optional nodes aren't supported on Windows devices.
- ProviderID
@@ -305,7 +309,6 @@ If a mobile operator requires the communication with the H-SLP to take place ove
## OMA Client Provisioning examples
-
Adding new configuration information for an H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
```xml
@@ -330,7 +333,7 @@ Adding new configuration information for an H-SLP server for SUPL. Values in ita
```
-Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
+Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary BLOB must be included for the root certificate data value.
```xml
@@ -361,7 +364,6 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be
## OMA DM examples
-
Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
```xml
@@ -436,7 +438,6 @@ Adding a SUPL account to a device. Values in italic must be replaced with correc
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
|Elements|Available|
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 1e276239dd..3828794610 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -14,9 +14,10 @@ ms.date: 07/28/2017
# SurfaceHub CSP
-The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511.
+The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later.
The following example shows the SurfaceHub CSP management objects in tree format.
+
```
./Vendor/MSFT
SurfaceHub
@@ -72,13 +73,14 @@ SurfaceHub
--------WorkspaceID
--------WorkspaceKey
```
+
**./Vendor/MSFT/SurfaceHub**
-
The root node for the Surface Hub configuration service provider.
+The root node for the Surface Hub configuration service provider.
**DeviceAccount**
-
Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
+Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
-
To use a device account from Azure Active Directory
+To use a device account from Azure Active Directory
1. Set the UserPrincipalName (for Azure AD).
2. Set a valid Password.
@@ -89,7 +91,7 @@ SurfaceHub
> If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress.
-
Here's a SyncML example.
+Here's a SyncML example.
```xml
@@ -139,7 +141,7 @@ SurfaceHub
```
-
To use a device account from Active Directory
+To use a device account from Active Directory:
1. Set the DomainName.
2. Set the UserName.
@@ -147,207 +149,268 @@ SurfaceHub
4. Execute the ValidateAndCommit node.
**DeviceAccount/DomainName**
-
Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
-
The data type is string. Supported operation is Get and Replace.
+Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/UserName**
-
Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
-
The data type is string. Supported operation is Get and Replace.
+Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/UserPrincipalName**
-
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
-
The data type is string. Supported operation is Get and Replace.
+User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/SipAddress**
-
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
-
The data type is string. Supported operation is Get and Replace.
+Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/Password**
-
Password for the device account.
-
The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
+Password for the device account.
+
+- The data type is string.
+- Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
**DeviceAccount/ValidateAndCommit**
-
This method validates the data provided and then commits the changes.
-
The data type is string. Supported operation is Execute.
+This method validates the data provided and then commits the changes.
+
+- The data type is string.
+- Supported operation is Execute.
**DeviceAccount/Email**
-
Email address of the device account.
-
The data type is string.
+Email address of the device account. The data type is string.
-**DeviceAccount/PasswordRotationEnabled**
-
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+**DeviceAccount/
+PasswordRotationEnabled**
-
Valid values:
+Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+
+Valid values:
- 0 - password rotation enabled
- 1 - disabled
-
The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**DeviceAccount/ExchangeServer**
-
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
-
The data type is string. Supported operation is Get and Replace.
+Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**DeviceAccount/ExchangeModernAuthEnabled**
-
Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
-
The data type is boolean. Supported operation is Get and Replace.
+Added in KB4598291 for Windows 10, version 20H2. Specifies, whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**DeviceAccount/CalendarSyncEnabled**
-
Specifies whether calendar sync and other Exchange server services is enabled.
-
The data type is boolean. Supported operation is Get and Replace.
+Specifies, whether calendar sync and other Exchange server services is enabled.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**DeviceAccount/ErrorContext**
If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values:
-| ErrorContext value | Stage where error occurred | Description and suggestions |
+| **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
| --- | --- | --- |
| 1 | Unknown | |
-| 2 | Populating account | Unable to retrieve account details using the username and password you provided.
-For Azure AD accounts, ensure that UserPrincipalName and Password are valid. -For AD accounts, ensure that DomainName, UserName, and Password are valid. -Ensure that the specified account has an Exchange server mailbox. |
+| 2 | Populating account | Unable to retrieve account details using the username and password you provided.
For Azure AD accounts, ensure that UserPrincipalName and Password are valid. For AD accounts, ensure that DomainName, UserName, and Password are valid. Ensure that the specified account has an Exchange server mailbox. |
| 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
-| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure that the ExchangeServer field is valid. |
+| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
| 5 | Saving account information | Unable to save account details to the system. |
-| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. |
+| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. |
-The data type is integer. Supported operation is Get.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get.
**MaintenanceHoursSimple/Hours**
-
-
Node for maintenance schedule.
+Node for maintenance schedule.
**MaintenanceHoursSimple/Hours/StartTime**
-
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
-
The data type is integer. Supported operation is Get and Replace.
+Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
+
+- The data type is integer.
+- Supported operation is Get and Replace.
**MaintenanceHoursSimple/Hours/Duration**
-
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
-
The data type is integer. Supported operation is Get and Replace.
+Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
+
+- The data type is integer.
+- Supported operation is Get and Replace.
**InBoxApps**
-
Node for the in-box app settings.
+
+Node for the in-box app settings.
**InBoxApps/SkypeForBusiness**
-
Added in Windows 10, version 1703. Node for the Skype for Business settings.
+
+Added in Windows 10, version 1703. Node for the Skype for Business settings.
**InBoxApps/SkypeForBusiness/DomainName**
-
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online.
-
The data type is string. Supported operation is Get and Replace.
+Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**InBoxApps/Welcome**
-
Node for the welcome screen.
+Node for the welcome screen.
**InBoxApps/Welcome/AutoWakeScreen**
-
Automatically turn on the screen using motion sensors.
-
The data type is boolean. Supported operation is Get and Replace.
+Automatically turn on the screen using motion sensors.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/Welcome/CurrentBackgroundPath**
-
Download location for image to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub, otherwise it may not be able to load the image.
-
The data type is string. Supported operation is Get and Replace.
+Download location for image, to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub. Otherwise, it may not be able to load the image.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**InBoxApps/Welcome/MeetingInfoOption**
-
Meeting information displayed on the welcome screen.
-
Valid values:
+Meeting information displayed on the welcome screen.
+
+Valid values:
- 0 - Organizer and time only
- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
-
The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**InBoxApps/Whiteboard**
-
Node for the Whiteboard app settings.
+
+Node for the Whiteboard app settings.
**InBoxApps/Whiteboard/SharingDisabled**
-
Invitations to collaborate from the Whiteboard app aren't allowed.
-
The data type is boolean. Supported operation is Get and Replace.
+Invitations to collaborate from the Whiteboard app aren't allowed.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/Whiteboard/SigninDisabled**
-
Sign-ins from the Whiteboard app aren't allowed.
-
The data type is boolean. Supported operation is Get and Replace.
+Sign-ins from the Whiteboard app aren't allowed.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/Whiteboard/TelemeteryDisabled**
-
Telemetry collection from the Whiteboard app isn't allowed.
-
The data type is boolean. Supported operation is Get and Replace.
+Telemetry collection from the Whiteboard app isn't allowed.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection**
-
Node for the wireless projector app settings.
+
+Node for the wireless projector app settings.
**InBoxApps/WirelessProjection/PINRequired**
-
Users must enter a PIN to wirelessly project to the device.
-
The data type is boolean. Supported operation is Get and Replace.
+Users must enter a PIN to wireless project to the device.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection/Enabled**
-
Enables wireless projection to the device.
-
The data type is boolean. Supported operation is Get and Replace.
+Enables wireless projection to the device.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection/Channel**
-
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
-|Compatibility|Values|
+Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
+
+|**Compatibility**|**Values**|
|--- |--- |
|Works with all Miracast senders in all regions|1, 3, 4, 5, 6, 7, 8, 9, 10, 11|
|Works with all 5ghz band Miracast senders in all regions|36, 40, 44, 48|
|Works with all 5ghz band Miracast senders in all regions except Japan|149, 153, 157, 161, 165|
+The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for).
-
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for).
-
-
The data type is integer. Supported operation is Get and Replace.
+- The data type is integer.
+- Supported operation is Get and Replace.
**InBoxApps/Connect**
-
Added in Windows 10, version 1703. Node for the Connect app.
+
+Added in Windows 10, version 1703. Node for the Connect app.
**InBoxApps/Connect/AutoLaunch**
-
Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated.
-
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
+Added in Windows 10, version 1703. Specifies, whether to automatically launch the Connect app whenever a projection is initiated.
-
The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties**
-
Node for the device properties.
+
+Node for the device properties.
**Properties/FriendlyName**
-
Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.
-
The data type is string. Supported operation is Get and Replace.
+Friendly name of the device. Specifies the name that users see when they want wireless project to the device.
+
+- The data type is string.
+- Supported operation is Get and Replace.
**Properties/DefaultVolume**
-
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
-
The data type is integer. Supported operation is Get and Replace.
+Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
+
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/DefaultAutomaticFraming**
-
Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True.
-
The data type is boolean. Supported operation is Get and Replace.
+Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties/ScreenTimeout**
-
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
-
The following table shows the permitted values.
+Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
-|Value|Description|
+The following table shows the permitted values.
+
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute|
@@ -361,14 +424,17 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
-
The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/SessionTimeout**
-
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
-
The following table shows the permitted values.
+Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
-|Value|Description|
+The following table shows the permitted values.
+
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute (default)|
@@ -382,14 +448,17 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
-
The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/SleepTimeout**
-
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
-
The following table shows the permitted values.
+Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
-|Value|Description|
+The following table shows the permitted values.
+
+|**Value**|**Description**|
|--- |--- |
|0|Never time out|
|1|1 minute|
@@ -403,61 +472,84 @@ The data type is integer. Supported operation is Get.
|120|2 hours|
|240|4 hours|
-
The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/SleepMode**
-
Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
-
Valid values:
+Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
+
+Valid values:
- 0 - Connected Standby (default)
- 1 - Hibernate
-
The data type is integer. Supported operation is Get and Replace.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get and Replace.
**Properties/AllowSessionResume**
-
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
-
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
+Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
-
The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties/AllowAutoProxyAuth**
-
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
-
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
+Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
-
The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties/ProxyServers**
-
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://).
-
The data type is string. Supported operation is Get and Replace.
+Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://).
+
+- The data type is string.
+- Supported operation is Get and Replace.
**Properties/DisableSigninSuggestions**
-
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
-
If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
+Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
-
The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**Properties/DoNotShowMyMeetingsAndFiles**
-
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
-
If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
+Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
-
The data type is boolean. Supported operation is Get and Replace.
+If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**MOMAgent**
-
Node for the Microsoft Operations Management Suite.
+
+Node for the Microsoft Operations Management Suite.
**MOMAgent/WorkspaceID**
-
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
-
The data type is string. Supported operation is Get and Replace.
+GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
-**MOMAgent/WorkspaceKey**
-
Primary key for authenticating with the workspace.
+- The data type is string.
+- Supported operation is Get and Replace.
-
The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
+**MOMAgent/WorkspaceKey**
+Primary key for authenticating with the workspace.
+
+- The data type is string.
+- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 6f4815ab07..a4b4565694 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -13,6 +13,17 @@ manager: dansimp
# TenantLockdown CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809.
@@ -28,16 +39,21 @@ TenantLockdown
----RequireNetworkInOOBE
```
**./Vendor/MSFT/TenantLockdown**
-The root node.
+The root node for the TenantLockdown configuration service provider.
**RequireNetworkInOOBE**
-Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in.
+Specifies whether a network connection is required during the out-of-box experience (OOBE) at first logon.
When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option.
-Value type is bool. Supported operations are Get and Replace.
+- Value type is bool.
+- Supported operations are Get and Replace.
-- True - Require network in OOBE
-- False - No network connection requirement in OOBE
+ - True - Require network in OOBE.
+ - False - No network connection requirement in OOBE.
-Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they're required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There's no option to skip the network connection and create a local account.
+Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index af4f245a6e..e85778cb28 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -75,3 +75,7 @@ The XML below is for Windows 10, version 1809.
```
+
+## Related topics
+
+[TenantLockdown CSP](tenantlockdown-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index ee13358bb5..a95c47c94f 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -255,8 +255,6 @@ items:
items:
- name: EnterpriseAPN DDF
href: enterpriseapn-ddf.md
- - name: EnterpriseAppManagement CSP
- href: enterpriseappmanagement-csp.md
- name: EnterpriseAppVManagement CSP
href: enterpriseappvmanagement-csp.md
items:
@@ -296,11 +294,6 @@ items:
items:
- name: HealthAttestation DDF
href: healthattestation-ddf.md
- - name: Messaging CSP
- href: messaging-csp.md
- items:
- - name: Messaging DDF file
- href: messaging-ddf.md
- name: MultiSIM CSP
href: multisim-csp.md
items:
@@ -835,12 +828,8 @@ items:
href: policy-csp-windowssandbox.md
- name: WirelessDisplay
href: policy-csp-wirelessdisplay.md
- - name: PolicyManager CSP
- href: policymanager-csp.md
- name: Provisioning CSP
href: provisioning-csp.md
- - name: PROXY CSP
- href: proxy-csp.md
- name: PXLOGICAL CSP
href: pxlogical-csp.md
- name: Reboot CSP
@@ -853,11 +842,6 @@ items:
items:
- name: RemoteFind DDF file
href: remotefind-ddf-file.md
- - name: RemoteRing CSP
- href: remotering-csp.md
- items:
- - name: RemoteRing DDF file
- href: remotering-ddf-file.md
- name: RemoteWipe CSP
href: remotewipe-csp.md
items:
@@ -920,6 +904,11 @@ items:
items:
- name: UnifiedWriteFilter DDF file
href: unifiedwritefilter-ddf.md
+ - name: UniversalPrint CSP
+ href: universalprint-csp.md
+ items:
+ - name: UniversalPrint DDF file
+ href: universalprint-ddf-file.md
- name: Update CSP
href: update-csp.md
items:
@@ -963,10 +952,10 @@ items:
items:
- name: WindowsAdvancedThreatProtection DDF file
href: windowsadvancedthreatprotection-ddf.md
- - name: WindowsAutoPilot CSP
+ - name: WindowsAutopilot CSP
href: windowsautopilot-csp.md
items:
- - name: WindowsAutoPilot DDF file
+ - name: WindowsAutopilot DDF file
href: windowsautopilot-ddf-file.md
- name: WindowsDefenderApplicationGuard CSP
href: windowsdefenderapplicationguard-csp.md
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 0c7915fe7c..18a3515e60 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -13,10 +13,20 @@ manager: dansimp
# TPMPolicy CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
-The TPMPolicy CSP was added in Windows 10, version 1703.
+The TPMPolicy CSP was added in Windows 10, version 1703, and later.
The following example shows the TPMPolicy configuration service provider in tree format.
```
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index 8a3a6d1f58..5b7c5a00a1 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -13,8 +13,18 @@ manager: dansimp
# UEFI CSP
+The table below shows the applicability of Windows:
-The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809c, and later.
> [!NOTE]
> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
@@ -51,7 +61,7 @@ Uefi
```
The following list describes the characteristics and parameters.
-**./Vendor/MSFT/Uefi**
+**./Vendor/MSFT/UEFI**
Root node.
**DeviceIdentifier**
@@ -80,7 +90,7 @@ Retrieves the binary result package of the previous Identity/Apply operation.
Supported operation is Get.
**Permissions**
-Node for settings permission operations..
+Node for settings permission operations.
**Permissions/Current**
Retrieves XML from UEFI that describes the current UEFI settings permissions.
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index 1904740772..43ef78e8bb 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -14,6 +14,16 @@ ms.date: 06/26/2017
# UnifiedWriteFilter CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|No|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
@@ -315,7 +325,6 @@ Supported operations are Get and Execute.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md
new file mode 100644
index 0000000000..e7ca5d359c
--- /dev/null
+++ b/windows/client-management/mdm/universalprint-csp.md
@@ -0,0 +1,110 @@
+---
+title: UniversalPrint CSP
+description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices.
+ms.author: mandia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: MandiOhlinger
+ms.date: 06/02/2022
+ms.reviewer: jimwu
+manager: dougeby
+---
+
+# UniversalPrint CSP
+
+The table below shows the applicability of Windows:
+
+|Edition|Windows 11|
+|--- |--- |
+|Home|No|
+|Pro|Yes|
+|Windows SE|Yes|
+|Business|Yes|
+|Enterprise|Yes|
+|Education|Yes|
+
+The UniversalPrint configuration service provider (CSP) is used to add Universal Print-compatible printers to Windows client endpoints. Universal Print is a cloud-based printing solution that runs entirely in Microsoft Azure. It doesn't require any on-premises infrastructure. For more specific information, go to [What is Universal Print](/universal-print/fundamentals/universal-print-whatis).
+
+This CSP was added in Windows 11.
+
+The following example shows the UniversalPrint configuration service provider in tree format.
+
+```console
+./Vendor/MSFT
+PrinterProvisioning
+----UPPrinterInstalls
+-------- (PrinterSharedID)
+--------CloudDeviceID
+--------PrinterSharedName
+--------Install
+--------Status
+--------ErrorCode
+```
+
+**./Vendor/MSFT/PrinterProvisioning**
+The root node for the Universal Print PrinterProvisioning configuration service provider.
+
+**UPPrinterInstalls**
+
+This setting will install or uninstall a specific printer to a targeted user account.
+
+Valid values:
+
+- Install (default) - The printer is installed.
+- Uninstall - The printer is uninstalled.
+
+The data type is node (XML node). Supported operation is Get.
+
+**`` (PrinterSharedID)**
+
+The Share ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share ID in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up).
+
+The data type is node (XML node). Supported operations are Get, Add, and Delete.
+
+> [!NOTE]
+> The targeted user account must have access rights to the printer and to the Universal Print service.
+
+**CloudDeviceID**
+
+The Printer ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Printer ID in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up).
+
+The data type is string/text (GUID). Supported operations are Get, Add, Delete, and Replace.
+
+> [!NOTE]
+> The targeted user account must have access rights to the printer and to the Universal Print service.
+
+**PrinterSharedName**
+
+The Share Name is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share Name in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up).
+
+The data type is string/text. Supported operations are Get, Add, Delete, and Replace.
+
+> [!NOTE]
+> The targeted user account must have access rights to the printer and to the Universal Print service.
+
+**Install**
+
+Installs the Universal Print printer. Supports async execute.
+
+The data type is string/text (empty string). Supported operations are Get and Execute.
+
+**Status**
+
+The result status of the printer installation.
+
+Valid values:
+
+- 1 (default) - Installation completed successfully.
+- 2 - Installation is in progress after receiving execute cmd.
+- 4 - Installation failed.
+- 8 - Installation initial status
+- 32 - Unknown (not used)
+
+The data type is int. Supported operations is Get.
+
+**ErrorCode**
+
+HRESULT of the last installation returned code.
+
+The data type is int. Supported operation is Get.
diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md
new file mode 100644
index 0000000000..cc624c9c29
--- /dev/null
+++ b/windows/client-management/mdm/universalprint-ddf-file.md
@@ -0,0 +1,214 @@
+---
+title: UniversalPrint DDF file
+description: UniversalPrint DDF file
+ms.author: mandia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: MandiOhlinger
+ms.date: 06/02/2022
+ms.reviewer: jimwu
+manager: dougeby
+---
+
+# UniversalPrint DDF file
+
+This article shows the OMA DM device description framework (DDF) for the **UniversalPrint** configuration service provider.
+
+Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
+
+The XML below is the current version for this CSP.
+
+```xml
+
+]>
+
+ 1.2
+
+ PrinterProvisioning
+ ./User/Vendor/MSFT
+
+
+
+
+ Printer Provisioning
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/PrinterProvisioning
+
+
+
+ UPPrinterInstalls
+
+
+
+
+ This setting will take the action on the specified user account to install or uninstall the specified printer. Install action is selected by default.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Identifies the Universal Print printer, by its Share ID, you wish to install on the targeted user account. The printer's Share ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+
+
+ PrinterSharedID
+
+
+
+
+ PrinterSharedID from the Universal Print system, which is used to discover and install Univeral Print printer
+
+
+
+
+
+ CloudDeviceID
+
+
+
+
+
+
+
+ Identifies the Universal Print printer, by its Printer ID, you wish to install on the targeted user account. The printer's Printer ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Install
+
+
+
+
+
+ Support async execute. Install Universal Print printer.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Status
+
+
+
+
+ 1 finished installation successfully, 2 installation in progress after receiving execute cmd, 4 installation failed, 8 installation initial status, 32 unknown (not used).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ErrorCode
+
+
+
+
+ HRESULT of the last installation returned code.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PrinterSharedName
+
+
+
+
+
+
+
+ Identifies the Universal Print printer, by its Share Name, you wish to install on the targeted user account. The printer's Share Name can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+```
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index c728cdb027..9df19dd70b 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -14,6 +14,17 @@ ms.date: 02/23/2018
# Update CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
> [!NOTE]
@@ -62,7 +73,7 @@ The following example shows the Update configuration service provider in tree fo
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
-
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
+
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index fa91e9823e..efba4330c5 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -560,7 +560,7 @@ The XML below is for Windows 10, version 1803.
Roll back Latest Quality Update, if the machine meets the following conditions:
- Condition 1: Device must be WUfB Connected
+ Condition 1: Device must be Windows Update for Business connected
Condition 2: Device must be in a Paused State
Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
If the conditions are not true, the device will not Roll Back the Latest Quality Update.
@@ -588,7 +588,7 @@ The XML below is for Windows 10, version 1803.
Roll Back Latest Feature Update, if the machine meets the following conditions:
- Condition 1: Device must be WUfB Connected
+ Condition 1: Device must be Windows Update for Business connected
Condition 2: Device must be in Paused State
Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
Condition 4: Machine should be within the uninstall period
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 07dbd492dc..ce1fdf95ec 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -14,13 +14,23 @@ ms.date: 09/21/2021
# VPNv2 CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
Here are the requirements for this CSP:
- VPN configuration commands must be wrapped in an Atomic block in SyncML.
-- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
+- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies.
- Instead of changing individual properties, follow these steps to make any changes:
- Send a Delete command for the ProfileName to delete the entire profile.
@@ -531,9 +541,9 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/EdpModeId**
-Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a Windows Information Protection policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
-Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.
+Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the Windows Information Protection policies and App lists automatically takes effect.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -550,7 +560,7 @@ An optional flag to enable Always On mode. This flag will automatically connect
Preserving user Always On preference
-Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
+Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference.
Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
Value: AutoTriggerDisabledProfilesList
@@ -696,7 +706,7 @@ Supported operations include Get, Add, Replace, and Delete.
Reserved for future use.
**VPNv2/**ProfileName**/NativeProfile**
-Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP).
+Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP).
**VPNv2/**ProfileName**/NativeProfile/Servers**
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index d318a8734b..dcf303c5fa 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -442,3 +442,7 @@ Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent::
```
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index fca8b3674b..13f6f62afe 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -14,6 +14,16 @@ ms.date: 06/26/2017
# w4 APPLICATION CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
@@ -47,7 +57,7 @@ This parameter takes a string value. The possible values to configure the NAME p
- no value specified
> [!NOTE]
-> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
+> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. Hence, after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
If no value is specified, the registry location will default to ``.
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 139c2e3cfd..7842c67b66 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -14,11 +14,21 @@ ms.date: 06/26/2017
# w7 APPLICATION CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it's managed over OMA Client Provisioning.
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
-
+> [!Note]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
@@ -51,11 +61,10 @@ APPLICATION
---SSLCLIENTCERTSEARCHCRITERIA
```
-> **Note** All parm names and characteristic types are case sensitive and must use all uppercase.
+> [!Note]
+> All parameter names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.
-
-
**APPADDR**
This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address.
@@ -99,9 +108,9 @@ Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get o
Valid values:
-- BASIC - specifies that the SyncML DM 'syncml:auth-basic' authentication type.
+- BASIC - specifies that the SyncML DM `syncml:auth-basic` authentication type.
-- DIGEST - specifies that the SyncML DM 'syncml:auth-md5' authentication type.
+- DIGEST - specifies that the SyncML DM `syncml:auth-md5` authentication type.
- When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST.
@@ -111,9 +120,8 @@ Required. The APPID parameter is used in the APPLICATION characteristic to diffe
**BACKCOMPATRETRYDISABLED**
Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time).
-> **Note** This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
-
-
+> [!Note]
+> This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
**CONNRETRYFREQ**
Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter.
@@ -130,11 +138,10 @@ The valid values are:
**INIT**
Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present.
-> **Note** This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario.
+> [!Note]
+> This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario.
This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready.
-
-
**INITIALBACKOFFTIME**
Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter.
@@ -180,9 +187,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
-> **Note** %EF%80%80 is the UTF8-encoded character U+F000.
-
-
+> [!Note]
+> `%EF%80%80` is the UTF8-encoded character U+F000.
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax:
@@ -193,15 +199,4 @@ Subject specifies the certificate to search for. For example, to specify that yo
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index c88fc017ab..adf03f1929 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -14,6 +14,17 @@ ms.date: 06/18/2019
# WiFi CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -41,11 +52,10 @@ WiFi
---------WiFiCost
```
-
The following list shows the characteristics and parameters.
**Device or User profile**
-For user profile, use ./User/Vendor/MSFT/Wifi path and for device profile, use ./Device/Vendor/MSFT/Wifi path.
+For user profile, use .`/User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path.
**Profile**
Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase if there's WEP or WPA2 networks.
@@ -94,6 +104,7 @@ Supported operations are Get, Add, Delete, and Replace.
-->
**DisableInternetConnectivityChecks**
+
> [!Note]
> This node has been deprecated since Windows 10, version 1607.
@@ -101,8 +112,8 @@ Added in Windows 10, version 1511. Optional. Disable the internet connectivity c
Value type is chr.
-- True - internet connectivity check is disabled.
-- False - internet connectivity check is enabled.
+- True - internet connectivity check is disabled.
+- False - internet connectivity check is enabled.
Supported operations are Get, Add, Delete, and Replace.
@@ -139,7 +150,6 @@ Supported operations are Add, Get, Replace and Delete. Value type is integer.
## Examples
-
These XML examples show how to perform various tasks using OMA DM.
### Add a network
@@ -241,8 +251,4 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index c64fc0e3c2..cb88b8e71a 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -15,11 +15,11 @@ ms.date: 06/28/2018
# WiFi DDF file
> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-The XML below is for Windows 10, version 1809.
+The XML below is for Windows 10, version 1809 and later.
```xml
diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md
index a537048478..12dfff8ecc 100644
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@@ -14,6 +14,16 @@ ms.date: 06/26/2017
# Win32AppInventory CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device.
diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md
index a70763abb9..0f56a61d98 100644
--- a/windows/client-management/mdm/win32appinventory-ddf-file.md
+++ b/windows/client-management/mdm/win32appinventory-ddf-file.md
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# Win32AppInventory DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -274,15 +273,4 @@ The XML below is the current version for this CSP.
## Related topics
-
-[Win32AppInventory configuration service provider](win32appinventory-csp.md)
-
-
-
-
-
-
-
-
-
-
+[Win32AppInventory configuration service provider](win32appinventory-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index 015e95075d..ea3289d926 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -11,7 +11,18 @@ ms.reviewer:
manager: dansimp
---
-# Win32CompatibilityAppraiser CSP
+# Win32CompatibilityAppraiser CSP
+
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -45,52 +56,64 @@ Win32CompatibilityAppraiser
------------MostRestrictiveSetting
--------WerConnectionReport
```
+
**./Vendor/MSFT/Win32CompatibilityAppraiser**
The root node for the Win32CompatibilityAppraiser configuration service provider.
**CompatibilityAppraiser**
This represents the state of the Compatibility Appraiser.
-
**CompatibilityAppraiser/AppraiserConfigurationDiagnosis**
This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data.
-
**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId**
The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.
-Value type is string. Supported operation is Get.
+Value type is string.
+
+Supported operation is Get.
**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid**
A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.
-Value type is bool. Supported operation is Get.
+Value type is bool.
+
+Supported operation is Get.
**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested**
-A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
+A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
-Value type is bool. Supported operation is Get.
+Value type is bool.
+
+Supported operation is Get.
**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser**
A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser.
-Value type is bool. Supported operation is Get.
+Value type is bool.
+
+Supported operation is Get.
**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum**
An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data.
-The values are:
-- 0 == Neither the code nor data is of a sufficient version
-- 1 == The code version is insufficient but the data version is sufficient
-- 2 == The code version is sufficient but the data version is insufficient
-- 3 == Both the code and data are of a sufficient version
+The values are:
+
+- 0 == Neither the code nor data is of a sufficient version.
+- 1 == The code version is insufficient but the data version is sufficient.
+- 2 == The code version is sufficient but the data version is insufficient.
+- 3 == Both the code and data are of a sufficient version.
-Value type is integer. Supported operation is Get.
+Value type is integer.
+
+Supported operation is Get.
**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending**
-A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
+A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
-Value type is bool. Supported operation is Get.
+Value type is bool.
+
+Supported operation is Get.
**CompatibilityAppraiser/AppraiserRunResultReport**
This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations.
@@ -106,45 +129,58 @@ This represents various settings that affect whether the Universal Telemetry Cli
**UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn**
An integer value representing what level of telemetry will be uploaded.
-Value type is integer. Supported operation is Get.
+Value type is integer.
-The values are:
-- 0 == Security data will be sent
-- 1 == Basic telemetry will be sent
-- 2 == Enhanced telemetry will be sent
-- 3 == Full telemetry will be sent
+Supported operation is Get.
+
+The values are:
+
+- 0 == Security data will be sent.
+- 1 == Basic telemetry will be sent.
+- 2 == Enhanced telemetry will be sent.
+- 3 == Full telemetry will be sent.
**UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn**
An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload.
-Value type is integer. Supported operation is Get.
+Value type is integer.
-The values are:
-- 0 == Setting is disabled
-- 1 == Setting is enabled
-- 2 == Setting is not applicable to this version of Windows
+Supported operation is Get.
+
+The values are:
+
+- 0 == Setting is disabled.
+- 1 == Setting is enabled.
+- 2 == Setting is not applicable to this version of Windows.
**UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning**
-A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
+A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
-Value type is bool. Supported operation is Get.
+Value type is bool.
+
+Supported operation is Get.
**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled**
-A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
+A boolean value representing whether the Microsoft account service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
-Value type is bool. Supported operation is Get.
+Value type is bool.
+
+Supported operation is Get.
**UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn**
-An integer value representing what websites Internet Explorer will collect telemetry data for.
+An integer value representing what websites Internet Explorer will collect telemetry data for.
-Value type is integer. Supported operation is Get.
+Value type is integer.
-The values are:
-- 0 == Telemetry collection is disabled
-- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones
-- 2 == Telemetry collection is enabled for internet websites and restricted website zones
-- 3 == Telemetry collection is enabled for all websites
-- 0x7FFFFFFF == Telemetry collection is not configured
+Supported operation is Get.
+
+The values are:
+
+- 0 == Telemetry collection is disabled.
+- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones.
+- 2 == Telemetry collection is enabled for internet websites and restricted website zones.
+- 3 == Telemetry collection is enabled for all websites.
+- 0x7FFFFFFF == Telemetry collection is not configured.
**UniversalTelemetryClient/UtcConnectionReport**
This provides an XML representation of the UTC connections during the most recent summary period.
@@ -160,26 +196,31 @@ This represents various settings that affect whether the Windows Error Reporting
**WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn**
An integer value indicating the amount of WER data that will be uploaded.
-Value type integer. Supported operation is Get.
+Value type is integer.
-The values are:
-- 0 == Data will not send due to UTC opt-in
-- 1 == Data will not send due to WER opt-in
-- 2 == Basic WER data will send but not the complete set of data
-- 3 == The complete set of WER data will send
+Supported operation is Get.
+The values are:
+
+- 0 == Data will not send due to UTC opt-in.
+- 1 == Data will not send due to WER opt-in.
+- 2 == Basic WER data will send but not the complete set of data.
+- 3 == The complete set of WER data will send.
**WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting**
An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted.
-Value type integer. Supported operation is Get.
+Value type is integer.
-The values are:
-- 0 == System telemetry settings are restricting uploads
-- 1 == WER basic policies are restricting uploads
-- 2 == WER advanced policies are restricting uploads
-- 3 == WER consent policies are restricting uploads
-- 4 == There are no restrictive settings
+Supported operation is Get.
+
+The values are:
+
+- 0 == System telemetry settings are restricting upload.
+- 1 == WER basic policies are restricting uploads.
+- 2 == WER advanced policies are restricting uploads.
+- 3 == WER consent policies are restricting uploads.
+- 4 == There are no restrictive settings.
**WindowsErrorReporting/WerConnectionReport**
This provides an XML representation of the most recent WER connections of various types.
@@ -190,7 +231,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### Appraiser run result report
-```
+```xml
@@ -362,7 +403,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### UTC connection report
-```
+```xml
@@ -440,7 +481,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
### Windows Error Reporting connection report
-```
+```xml
@@ -638,3 +679,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
```
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
index 05237311f1..057c668a74 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
@@ -1,6 +1,6 @@
---
title: Win32CompatibilityAppraiser DDF file
-description: XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider.
+description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -14,13 +14,13 @@ manager: dansimp
# Win32CompatibilityAppraiser DDF file
> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Win32CompatibilityAppraiser** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1809.
+The XML below is for Windows 10, version 1809 and later.
```xml
@@ -98,7 +98,7 @@ The XML below is for Windows 10, version 1809.
- The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.
+ The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.
@@ -120,7 +120,7 @@ The XML below is for Windows 10, version 1809.
- A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.
+ A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.
@@ -142,7 +142,7 @@ The XML below is for Windows 10, version 1809.
- A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
+ A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
@@ -186,7 +186,7 @@ The XML below is for Windows 10, version 1809.
- An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version".
+ An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version".
@@ -208,7 +208,7 @@ The XML below is for Windows 10, version 1809.
- A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
+ A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
@@ -296,7 +296,7 @@ The XML below is for Windows 10, version 1809.
- An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent".
+ An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent".
@@ -318,7 +318,7 @@ The XML below is for Windows 10, version 1809.
- An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows".
+ An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows".
@@ -340,7 +340,7 @@ The XML below is for Windows 10, version 1809.
- A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
+ A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
@@ -362,7 +362,7 @@ The XML below is for Windows 10, version 1809.
- A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
+ A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
@@ -384,7 +384,7 @@ The XML below is for Windows 10, version 1809.
- An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured".
+ An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured".
@@ -472,7 +472,7 @@ The XML below is for Windows 10, version 1809.
- An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send".
+ An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send".
@@ -494,7 +494,7 @@ The XML below is for Windows 10, version 1809.
- An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings".
+ An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings".
@@ -537,3 +537,7 @@ The XML below is for Windows 10, version 1809.
```
+
+## Related topics
+
+[Win32CompatibilityAppraiser configuration service provider](win32compatibilityappraiser-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 2d7afd2ff5..134770f710 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -14,6 +14,16 @@ ms.date: 11/01/2017
# WindowsAdvancedThreatProtection CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
@@ -40,102 +50,101 @@ WindowsAdvancedThreatProtection
The following list describes the characteristics and parameters.
**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection**
-
The root node for the Windows Defender Advanced Threat Protection configuration service provider.
+The root node for the Windows Defender Advanced Threat Protection configuration service provider.
-
Supported operation is Get.
+Supported operation is Get.
**Onboarding**
-
Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
+Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**HealthState**
-
Node that represents the Windows Defender Advanced Threat Protection health state.
+Node that represents the Windows Defender Advanced Threat Protection health state.
**HealthState/LastConnected**
-
Contains the timestamp of the last successful connection.
+Contains the timestamp of the last successful connection.
-
Supported operation is Get.
+Supported operation is Get.
**HealthState/SenseIsRunning**
-
Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
+Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
-
The default value is false.
+The default value is false.
-
Supported operation is Get.
+Supported operation is Get.
**HealthState/OnboardingState**
-
Represents the onboarding state.
+Represents the onboarding state.
-
Supported operation is Get.
+Supported operation is Get.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 0 (default) – Not onboarded.
-- 1 – Onboarded
+- 0 (default) – Not onboarded
+- 1 – Onboarded
**HealthState/OrgId**
-
String that represents the OrgID.
+String that represents the OrgID.
-
Supported operation is Get.
+Supported operation is Get.
**Configuration**
-
Represents Windows Defender Advanced Threat Protection configuration.
+Represents Windows Defender Advanced Threat Protection configuration.
**Configuration/SampleSharing**
-
Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
+Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
-
The following list shows the supported values:
+The following list shows the supported values:
- 0 – None
- 1 (default)– All
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**Configuration/TelemetryReportingFrequency**
-
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
+Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
-
The following list shows the supported values:
+The following list shows the supported values:
-- 1 (default) – Normal
-- 2 - Expedite
+- 1 (default) – Normal
+- 2 - Expedite
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**Offboarding**
-
Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
+Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**DeviceTagging**
-
Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
+Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
-
Supported operation is Get.
+Supported operation is Get.
**DeviceTagging/Group**
-
Added in Windows 10, version 1709. Device group identifiers.
+Added in Windows 10, version 1709. Device group identifiers.
-
The data type is a string.
+The data type is a string.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**DeviceTagging/Criticality**
-
Added in Windows 10, version 1709. Asset criticality value. Supported values:
+Added in Windows 10, version 1709. Asset criticality value. Supported values:
- 0 - Normal
- 1 - Critical
-
The data type is an integer.
+The data type is an integer.
-
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
## Examples
-
```xml
@@ -246,15 +255,4 @@ The following list describes the characteristics and parameters.
## Related topics
-
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 93b378c6f0..044557e1f2 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -1,6 +1,6 @@
---
title: WindowsAdvancedThreatProtection DDF file
-description: Learn how the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
+description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0
ms.reviewer:
manager: dansimp
@@ -14,7 +14,6 @@ ms.date: 12/05/2017
# WindowsAdvancedThreatProtection DDF file
-
This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -56,7 +55,7 @@ The XML below is the current version for this CSP.
- Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection
+ Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection.
@@ -77,7 +76,7 @@ The XML below is the current version for this CSP.
- Represents Windows Defender Advanced Threat Protection Health State
+ Represents Windows Defender Advanced Threat Protection Health State.
@@ -119,7 +118,7 @@ The XML below is the current version for this CSP.
false
- Return Windows Defender Advanced Threat Protection service running state
+ Return Windows Defender Advanced Threat Protection service running state.
@@ -141,7 +140,7 @@ The XML below is the current version for this CSP.
0
- Return Windows Defender Advanced Threat Protection onboarding state: 0 – not onboarded; 1 - onboarded
+ Return Windows Defender Advanced Threat Protection onboarding state: 0 – not onboarded; 1 - onboarded.
@@ -184,7 +183,7 @@ The XML below is the current version for this CSP.
- Represents Windows Defender Advanced Threat Protection Configuration
+ Represents Windows Defender Advanced Threat Protection Configuration.
@@ -206,7 +205,7 @@ The XML below is the current version for this CSP.
1
- Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All
+ Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All.
@@ -229,7 +228,7 @@ The XML below is the current version for this CSP.
1
- Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite
+ Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite.
@@ -253,7 +252,7 @@ The XML below is the current version for this CSP.
- Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding
+ Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding.
@@ -274,7 +273,7 @@ The XML below is the current version for this CSP.
- Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging
+ Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging.
@@ -343,15 +342,4 @@ The XML below is the current version for this CSP.
## Related topics
-
-[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-
-
-
+[WindowsAdvancedThreatProtection configuration service provider](windowsadvancedthreatprotection-csp.md)
diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md
index b50c42c129..7482fcb352 100644
--- a/windows/client-management/mdm/windowsautopilot-csp.md
+++ b/windows/client-management/mdm/windowsautopilot-csp.md
@@ -1,5 +1,5 @@
---
-title: WindowsAutoPilot CSP
+title: WindowsAutopilot CSP
description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot.
ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6
ms.reviewer:
@@ -9,21 +9,38 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
-ms.date: 02/07/2022
+ms.date: 05/09/2022
---
-# WindowsAutoPilot CSP
+# WindowsAutopilot CSP
+
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Windows SE|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” Because the CSP description should be more general/high level.
+The WindowsAutopilot CSP exposes Windows Autopilot related device information. The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.
**./Vendor/MSFT/WindowsAutopilot**
-Root node. Supported operation is Get.
+Root node for the WindowsAutopilot configuration service provider.
+Supported operation is Get.
**HardwareMismatchRemediationData**
-Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot.
+Interior node for the HardwareMismatchRemediationData configuration service provider. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot.
+
+Supported operation is Get.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md
index a07f24501d..d6f71e89a4 100644
--- a/windows/client-management/mdm/windowsautopilot-ddf-file.md
+++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md
@@ -1,6 +1,6 @@
---
-title: WindowsAutoPilot DDF file
-description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutoPilot DDF file configuration service provider (CSP) .
+title: WindowsAutopilot DDF file
+description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutopilot DDF file configuration service provider (CSP) .
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -11,12 +11,12 @@ ms.reviewer:
manager: dansimp
---
-# WindowsAutoPilot DDF file
+# WindowsAutopilot DDF file
> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-This topic shows the device description framework (DDF) for the **WindowsAutoPilot** configuration service provider.
+This topic shows the device description framework (DDF) for the **WindowsAutopilot** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@@ -27,7 +27,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
- These settings enable configuration of Windows Autopilot
+ These settings enable configuration of Windows Autopilot.
@@ -74,3 +74,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
```
+
+## Related topics
+
+[WindowsAutopilot configuration service provider](windowsautopilot-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index febc8bed02..6a9c6a3055 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -13,10 +13,22 @@ manager: dansimp
# WindowsDefenderApplicationGuard CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
-```
+
+```console
./Device/Vendor/MSFT
WindowsDefenderApplicationGuard
----Settings
@@ -36,6 +48,7 @@ WindowsDefenderApplicationGuard
----Audit
--------AuditApplicationGuard
```
+
**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
Root node. Supported operation is Get.
@@ -43,30 +56,37 @@ Root node. Supported operation is Get.
Interior node. Supported operation is Get.
**Settings/AllowWindowsDefenderApplicationGuard**
-Turn on Microsoft Defender Application Guard in Enterprise Mode.
+Turn on Microsoft Defender Application Guard in Enterprise Mode.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
-- 0 - Disable Microsoft Defender Application Guard
-- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
-- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004)
-- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004)
+
+- 0 - Disable Microsoft Defender Application Guard.
+- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY.
+- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004).
+- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004).
**Settings/ClipboardFileType**
-Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
+Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
+
- 1 - Allow text copying.
- 2 - Allow image copying.
- 3 - Allow text and image copying.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardFileType*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -76,21 +96,25 @@ ADMX Info:
**Settings/ClipboardSettings**
This policy setting allows you to decide how the clipboard behaves while in Application Guard.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
-The following list shows the supported values:
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On clipboard operation from an isolated session to the host.
- 2 - Turns On clipboard operation from the host to an isolated session.
- 3 - Turns On clipboard operation in both the directions.
> [!IMPORTANT]
-> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
+> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -98,13 +122,16 @@ ADMX Info:
**Settings/PrintingSettings**
-This policy setting allows you to decide how the print functionality behaves while in Application Guard.
+This policy setting allows you to decide how the print functionality behaves while in Application Guard.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
-The following list shows the supported values:
+This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
+
- 0 (default) - Disables all print functionality.
- 1 - Enables only XPS printing.
- 2 - Enables only PDF printing.
@@ -123,7 +150,8 @@ The following list shows the supported values:
- 15 - Enables all printing.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Configure Microsoft Defender Application Guard print settings*
- GP name: *AppHVSIPrintingSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -133,11 +161,14 @@ ADMX Info:
**Settings/BlockNonEnterpriseContent**
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
-The following list shows the supported values:
+This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
+
- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
- 1 - Non-enterprise content embedded on enterprise sites is stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
@@ -145,7 +176,8 @@ The following list shows the supported values:
> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
- GP name: *BlockNonEnterpriseContent*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -155,16 +187,18 @@ ADMX Info:
**Settings/AllowPersistence**
This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
+
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user sign out.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard*
- GP name: *AllowPersistence*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -172,15 +206,18 @@ ADMX Info:
**Settings/AllowVirtualGPU**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
+Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
The following list shows the supported values:
+
- 0 (default) - Can't access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This functionality can create a faster experience when working with graphics intense websites or watching video within the container.
@@ -188,7 +225,8 @@ The following list shows the supported values:
> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
- GP name: *AllowVirtualGPU*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -196,18 +234,20 @@ ADMX Info:
**Settings/SaveFilesToHost**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container.
+Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
+
+The following list shows the supported values:
-The following list shows the supported values:
- 0 (default) - The user can't download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
- GP name: *SaveFilesToHost*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -217,9 +257,11 @@ ADMX Info:
**Settings/CertificateThumbprints**
Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.
@@ -229,7 +271,8 @@ b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda92
If you disable or don’t configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
- GP name: *CertificateThumbprints*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -242,15 +285,18 @@ ADMX Info:
**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device.
If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.
-The following list shows the supported values:
+The following list shows the supported values:
+
- 0 (default) - Microsoft Defender Application Guard can't access the device’s camera and microphone. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.
@@ -258,7 +304,8 @@ The following list shows the supported values:
> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard*
- GP name: *AllowCameraMicrophoneRedirection*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -268,22 +315,26 @@ ADMX Info:
**Status**
Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device.
-Value type is integer. Supported operation is Get.
+Value type is integer.
-- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
-- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
-- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
-- Bit 3 - Set to 1 when Application Guard installed on the client machine.
-- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
- > [!IMPORTANT]
- > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
-- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
-- Bit 6 - Set to 1 when system reboot is required.
+Supported operation is Get.
+
+- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
+- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
+- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
+- Bit 3 - Set to 1 when Application Guard installed on the client machine.
+- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
+ > [!IMPORTANT]
+ > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
+- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
+- Bit 6 - Set to 1 when system reboot is required.
**PlatformStatus**
Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
-Value type is integer. Supported operation is Get.
+Value type is integer.
+
+Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
@@ -297,7 +348,8 @@ Initiates remote installation of Application Guard feature.
Supported operations are Get and Execute.
-The following list shows the supported values:
+The following list shows the supported values:
+
- Install - Will initiate feature install.
- Uninstall - Will initiate feature uninstall.
@@ -305,20 +357,28 @@ The following list shows the supported values:
Interior node. Supported operation is Get.
**Audit/AuditApplicationGuard**
-This policy setting allows you to decide whether auditing events can be collected from Application Guard.
+This policy setting allows you to decide whether auditing events can be collected from Application Guard.
-Value type in integer. Supported operations are Add, Get, Replace, and Delete.
+Value type in integer.
-This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+Supported operations are Add, Get, Replace, and Delete.
-The following list shows the supported values:
+This policy setting is supported on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:
+
- 0 (default) - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
-ADMX Info:
+ADMX Info:
+
- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard*
- GP name: *AuditApplicationGuard*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index c4c0409389..d910c1b600 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WindowsDefenderApplicationGuard DDF file
-description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
+description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -14,13 +14,13 @@ manager: dansimp
# WindowsDefenderApplicationGuard DDF file
> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-This XML is for Windows 10, version 1809.
+This XML is for Windows 10, version 1809 and later.
```xml
@@ -481,3 +481,7 @@ This XML is for Windows 10, version 1809.
```
+
+## Related topics
+
+[WindowsDefenderApplicationGuard configuration service provider](windowsdefenderapplicationguard-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 0789764ab1..756039926b 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -14,6 +14,17 @@ ms.date: 08/15/2018
# WindowsLicensing CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -40,6 +51,7 @@ WindowsLicensing
--------SwitchFromSMode (Added in Windows 10, version 1809)
--------Status (Added in Windows 10, version 1809)
```
+
**./Device/Vendor/MSFT/WindowsLicensing**
This node is the root node for the WindowsLicensing configuration service provider.
@@ -51,21 +63,17 @@ Enters a product key for an edition upgrade of Windows 10 desktop devices.
> [!NOTE]
> This upgrade process requires a system restart.
-
-
The date type is a chr.
The supported operation is Exec.
-When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or, after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart.
+When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart.
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
> [!IMPORTANT]
> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail.
-
-
If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart.
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
@@ -75,24 +83,22 @@ This node can also be used to activate or change a product key on a particular e
> [!IMPORTANT]
> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
-
-
The following are valid edition upgrade paths when using this node through an MDM:
-- Windows 10 Enterprise to Windows 10 Education
-- Windows 10 Home to Windows 10 Education
-- Windows 10 Pro to Windows 10 Education
-- Windows 10 Pro to Windows 10 Enterprise
+- Windows 10/Windows 11 Enterprise to Windows 10/ Windows 11 Education
+- Windows 10/Windows 11 Home to Windows 10/Windows 11 Education
+- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Education
+- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Enterprise
Activation or changing a product key can be carried out on the following editions:
-- Windows 10 Education
-- Windows 10 Enterprise
-- Windows 10 Home
-- Windows 10 Pro
+- Windows 10/Windows 11 Education
+- Windows 10/Windows 11 Enterprise
+- Windows 10/Windows 11 Home
+- Windows 10/Windows 11 Pro
**Edition**
-Returns a value that maps to the Windows 10 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
+Returns a value that maps to the Windows 10 or Windows 11 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
The data type is an Int.
@@ -101,11 +107,11 @@ The supported operation is Get.
**Status**
Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values:
-- 0 = Failed
-- 1 = Pending
-- 2 = In progress
-- 3 = Completed
-- 4 = Unknown
+- 0 = Failed
+- 1 = Pending
+- 2 = In progress
+- 3 = Completed
+- 4 = Unknown
The data type is an Int.
@@ -136,23 +142,23 @@ The following are valid edition upgrade paths when using this node through an MD
-->
**LicenseKeyType**
-Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change.
+Returns the parameter type used by Windows 10 or Windows 11 devices for an edition upgrade, activation, or product key change.
-- Windows 10 client devices require a product key.
+- Windows 10 or Windows 11 client devices require a product key.
The data type is a chr.
The supported operation is Get.
**CheckApplicability**
-Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 for desktop devices.
+Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 or Windows 11 for desktop devices.
The data type is a chr.
The supported operation is Exec.
**ChangeProductKey**
-Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Doesn't reboot.
+Added in Windows 10, version 1703. Installs a product key for Windows desktop devices. Doesn't reboot.
The data type is a chr.
@@ -184,32 +190,37 @@ Interior node for managing S mode.
**SMode/SwitchingPolicy**
Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete)
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer.
-Supported values:
-- 0 - No Restriction: The user is allowed to switch the device out of S mode.
-- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
+Supported operations are Add, Get, Replace, and Delete.
+
+Supported values:
+
+- 0 - No Restriction: The user is allowed to switch the device out of S mode.
+- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
**SMode/SwitchFromSMode**
Added in Windows 10, version 1809. Switches a device out of S mode if possible. Doesn't reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
Supported operation is Execute.
-**SMode/Status**
+**SMode/Status**
Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example)
-Value type is integer. Supported operation is Get.
+Value type is integer.
+
+Supported operation is Get.
Values:
-- Request fails with error code 404 - no SwitchFromSMode request has been made.
-- 0 - The device successfully switched out of S mode
-- 1 - The device is processing the request to switch out of S mode
-- 3 - The device was already switched out of S mode
-- 4 - The device failed to switch out of S mode
+
+- Request fails with error code 404 - no SwitchFromSMode request has been made.
+- 0 - The device successfully switched out of S mode.
+- 1 - The device is processing the request to switch out of S mode.
+- 3 - The device was already switched out of S mode.
+- 4 - The device failed to switch out of S mode.
## SyncML examples
-
**CheckApplicability**
```xml
@@ -235,8 +246,6 @@ Values:
> [!NOTE]
> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
-
-
**Edition**
```xml
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index 5286cedaa2..bdce69a6f7 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -15,13 +15,13 @@ ms.date: 07/16/2017
# WindowsLicensing DDF file
> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1809.
+The XML below is for Windows 10, version 1809 and later.
```xml
@@ -104,7 +104,7 @@ The XML below is for Windows 10, version 1809.
- Returns a value that maps to the Windows 10 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
+ Returns a value that maps to the Windows 10 or Windows 11 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
@@ -128,7 +128,7 @@ The XML below is for Windows 10, version 1809.
- Returns the status of an edition upgrade on Windows 10 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown
+ Returns the status of an edition upgrade on Windows 10 or Windows 11 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown
@@ -349,3 +349,7 @@ The XML below is for Windows 10, version 1809.
```
+
+## Related topics
+
+[WindowsLicensing configuration service provider](windowslicensing-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index 62808bc9bb..ff85447bbd 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -13,6 +13,17 @@ manager: dansimp
# WiredNetwork CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -39,17 +50,19 @@ WiredNetwork
----EnableBlockPeriod
```
**./Device/Vendor/MSFT/WiredNetwork**
-Root node.
+The root node for the wirednetwork configuration service provider.
**LanXML**
Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx.
-Supported operations are Add, Get, Replace, and Delete. Value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
+- Value type is string.
**EnableBlockPeriod**
Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
+- Value type is integer.
The following example shows how to add a wired network profile:
```xml
@@ -70,3 +83,7 @@ The following example shows how to add a wired network profile:
```
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index bc61e8f7d0..f527c65745 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -167,3 +167,7 @@ The XML below is the current version for this CSP.
```
+
+## Related topics
+
+[WiredNetwork CSP](wirednetwork-csp.md)
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index 120ac4d165..3a36e33d5a 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -1,30 +1,31 @@
---
title: Use Quick Assist to help users
-description: How IT Pros can use Quick Assist to help users
+description: How IT Pros can use Quick Assist to help users.
ms.prod: w10
-ms.sitesec: library
-ms.topic: article
-author: aczechowski
+ms.technology: windows
+ms.topic: how-to
ms.localizationpriority: medium
+author: aczechowski
ms.author: aaroncz
manager: dougeby
+ms.reviewer: pmadrigal
ms.collection: highpri
---
# Use Quick Assist to help users
-Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
+Quick Assist is a Microsoft Store application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
## Before you begin
-All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate.
+All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
> [!NOTE]
> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
### Authentication
-The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time.
+The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.
### Network considerations
@@ -32,18 +33,20 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
Both the helper and sharer must be able to reach these endpoints over port 443:
-| Domain/Name | Description |
-|-----------------------------------|-------------------------------------------------------|
-| \*.support.services.microsoft.com | Primary endpoint used for Quick Assist application |
-| \*.resources.lync.com | Required for the Skype framework used by Quick Assist |
-| \*.infra.lync.com | Required for the Skype framework used by Quick Assist |
-| \*.latest-swx.cdn.skype.com | Required for the Skype framework used by Quick Assist |
-| \*.login.microsoftonline.com | Required for logging in to the application (MSA) |
-| \*.channelwebsdks.azureedge.net | Used for chat services within Quick Assist |
-| \*.aria.microsoft.com | Used for accessibility features within the app |
-| \*.api.support.microsoft.com | API access for Quick Assist |
-| \*.vortex.data.microsoft.com | Used for diagnostic data |
-| \*.channelservices.microsoft.com | Required for chat services within Quick Assist |
+| Domain/Name | Description |
+|--|--|
+| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
+| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
+| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
+| `*.aria.microsoft.com` | Used for accessibility features within the app |
+| `*.api.support.microsoft.com` | API access for Quick Assist |
+| `*.vortex.data.microsoft.com` | Used for diagnostic data |
+| `*.channelservices.microsoft.com` | Required for chat services within Quick Assist |
+| `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. |
+| `*.turn.azure.com` | Protocol used to help endpoint. |
+| `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
## How it works
@@ -73,9 +76,9 @@ Microsoft logs a small amount of session data to monitor the health of the Quick
- Features used inside the app such as view only, annotation, and session pause
-No logs are created on either the helper’s or sharer’s device. Microsoft cannot access a session or view any actions or keystrokes that occur in the session.
+No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session.
-The sharer sees only an abbreviated version of the helper’s name (first name, last initial) and no other information about them. Microsoft does not store any data about either the sharer or the helper for longer than three days.
+The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days.
In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
@@ -83,8 +86,7 @@ In some scenarios, the helper does require the sharer to respond to application
Either the support staff or a user can start a Quick Assist session.
-
-1. Support staff (“helper”) starts Quick Assist in any of a few ways:
+1. Support staff ("helper") starts Quick Assist in any of a few ways:
- Type *Quick Assist* in the search box and press ENTER.
- From the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
@@ -94,32 +96,16 @@ Either the support staff or a user can start a Quick Assist session.
3. Helper shares the security code with the user over the phone or with a messaging system.
-4. Quick Assist opens on the sharer’s device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
+4. Quick Assist opens on the sharer's device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
-5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After choosing, the helper selects **Continue**.
+5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After they choose an option, the helper selects **Continue**.
6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.
## If Quick Assist is missing
-If for some reason a user doesn't have Quick Assist on their system or it's not working properly, they might need to uninstall and reinstall it.
-
-### Uninstall Quick Assist
-
-1. Start the Settings app, and then select **Apps**.
-2. Select **Optional features**.
-3. In the **Installed features** search bar, type *Quick Assist*.
-4. Select **Microsoft Quick Assist**, and then select **Uninstall**.
-
-### Reinstall Quick Assist
-
-1. Start the Settings app, and then select **Apps**.
-2. Select **Optional features**.
-3. Select **Add a feature**.
-4. In the new dialog that opens, in the **Add an optional feature** search bar, type *Quick Assist*.
-5. Select the check box for **Microsoft Quick Assist**, and then select **Install**.
-6. Restart the device.
+If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it. For more information, see [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
## Next steps
-If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://www.microsoft.com/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0&rtc=1#activetab=pivot:overviewtab).
+If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md
index 52a2fb766d..da6a705ba5 100644
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@@ -15,7 +15,7 @@ ms.topic: troubleshooting
# What version of Windows am I running?
-To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them.
+To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (GA Channel) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them.
## System Properties
Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index 756137de7c..aa66136bfb 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -1,13 +1,9 @@
---
title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience.
-ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
ms.reviewer:
manager: dougeby
-keywords: ["group policy", "start menu", "start screen"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 500f5c624f..bf089eb4ba 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -1,10 +1,7 @@
---
title: Configure Windows 10 taskbar (Windows 10)
description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
-keywords: ["taskbar layout","pin apps"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
@@ -14,6 +11,7 @@ ms.reviewer:
manager: dougeby
ms.collection: highpri
---
+
# Configure Windows 10 taskbar
Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 805a227811..e82f329a86 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -2,8 +2,6 @@
title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in Windows
description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 6d940ecc14..a342f659be 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -2,8 +2,6 @@
title: Send feedback about Cortana at work back to Microsoft
description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues..
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index d949c55ed5..633b1edf0b 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -2,8 +2,6 @@
title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
@@ -29,7 +27,7 @@ There are a few things to be aware of before you start using Cortana in Windows
- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
-- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.
+- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use Windows Information Protection, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.
- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana).
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 2b72551c54..88b9b1e042 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -4,8 +4,6 @@ ms.reviewer:
manager: dougeby
description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 2eb0ba6a03..97966260a0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -2,8 +2,6 @@
title: Configure Cortana with Group Policy and MDM settings (Windows)
description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index a54d958f6e..fd81d85f3a 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -2,8 +2,6 @@
title: Set up and test Cortana for Power BI in your organization (Windows)
description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index de0f3315ae..f19d6c310d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -2,8 +2,6 @@
title: Sign into Azure AD, enable the wake word, and try a voice query
description: A test scenario walking you through signing in and managing the notebook.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index b9c64414bc..4c019223d3 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -2,8 +2,6 @@
title: Perform a quick search with Cortana at work (Windows)
description: This is a test scenario about how to perform a quick search with Cortana at work.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index 68ba398dbf..f6d46feb8f 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -2,8 +2,6 @@
title: Set a reminder for a location with Cortana at work (Windows)
description: A test scenario about how to set a location-based reminder using Cortana at work.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index 6c6a391833..6a45297397 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -2,8 +2,6 @@
title: Use Cortana at work to find your upcoming meetings (Windows)
description: A test scenario on how to use Cortana at work to find your upcoming meetings.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index 63f5f07436..5085f7608d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -2,8 +2,6 @@
title: Use Cortana to send email to a co-worker (Windows)
description: A test scenario about how to use Cortana at work to send email to a co-worker.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index c4647b52d8..b05c1179dc 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -2,8 +2,6 @@
title: Review a reminder suggested by Cortana (Windows)
description: A test scenario on how to use Cortana with the Suggested reminders feature.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 6a7ab71a9a..ed2e51d53c 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -2,8 +2,6 @@
title: Help protect data with Cortana and WIP (Windows)
description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index cf0cd10b10..55023907da 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -2,8 +2,6 @@
title: Cortana at work testing scenarios
description: Suggested testing scenarios that you can use to test Cortana in your organization.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index 10a3e5644b..fb38e50ec2 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -2,8 +2,6 @@
title: Set up and test custom voice commands in Cortana for your organization (Windows)
description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index b922d049e4..5af920f5f7 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -4,8 +4,6 @@ ms.reviewer:
manager: dougeby
description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md
index 729352fb95..d11ddd9fbf 100644
--- a/windows/configuration/cortana-at-work/test-scenario-1.md
+++ b/windows/configuration/cortana-at-work/test-scenario-1.md
@@ -2,8 +2,6 @@
title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook
description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md
index 86c279c752..f9128ac53e 100644
--- a/windows/configuration/cortana-at-work/test-scenario-2.md
+++ b/windows/configuration/cortana-at-work/test-scenario-2.md
@@ -2,8 +2,6 @@
title: Test scenario 2 - Perform a quick search with Cortana at work
description: A test scenario about how to perform a quick search with Cortana at work.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md
index f1706c3579..0bef2a7ad9 100644
--- a/windows/configuration/cortana-at-work/test-scenario-3.md
+++ b/windows/configuration/cortana-at-work/test-scenario-3.md
@@ -2,8 +2,6 @@
title: Test scenario 3 - Set a reminder for a specific location using Cortana at work
description: A test scenario about how to set up, review, and edit a reminder based on a location.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md
index 635172f826..45d2df199c 100644
--- a/windows/configuration/cortana-at-work/test-scenario-4.md
+++ b/windows/configuration/cortana-at-work/test-scenario-4.md
@@ -2,8 +2,6 @@
title: Use Cortana to find your upcoming meetings at work (Windows)
description: A test scenario about how to use Cortana at work to find your upcoming meetings.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md
index 7770f46dfd..4a890aca59 100644
--- a/windows/configuration/cortana-at-work/test-scenario-5.md
+++ b/windows/configuration/cortana-at-work/test-scenario-5.md
@@ -2,8 +2,6 @@
title: Use Cortana to send an email to co-worker (Windows)
description: A test scenario on how to use Cortana at work to send email to a co-worker.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md
index e9b09188c2..eea07d4bbe 100644
--- a/windows/configuration/cortana-at-work/test-scenario-6.md
+++ b/windows/configuration/cortana-at-work/test-scenario-6.md
@@ -2,8 +2,6 @@
title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
description: A test scenario about how to use Cortana with the Suggested reminders feature.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
index 57153a781a..b62794ff0f 100644
--- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
+++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
@@ -2,8 +2,6 @@
title: Testing scenarios using Cortana in your business or organization
description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index c979753ccb..5f13879817 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -1,13 +1,9 @@
---
title: Customize and export Start layout (Windows 10)
description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout.
-ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236
ms.reviewer:
manager: dougeby
-keywords: ["start screen"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index f21e9bf9dc..069e047309 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -1,14 +1,10 @@
---
title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs
description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
-ms.assetid:
manager: dougeby
ms.author: aaroncz
ms.reviewer: ericpapa
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.localizationpriority: medium
ms.collection: highpri
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index 8679cc641f..51335436d5 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -1,14 +1,10 @@
---
title: Configure and customize Windows 11 taskbar | Microsoft Docs
description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded.
-ms.assetid:
manager: dougeby
ms.author: aaroncz
ms.reviewer: chataylo
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.localizationpriority: medium
ms.collection: highpri
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 434d699db3..15c1cc2cad 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -1,13 +1,9 @@
---
title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10)
description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
-ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
ms.reviewer:
manager: dougeby
-keywords: ["Start layout", "start menu", "layout", "group policy"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index a06b4c2919..fb50dc5a39 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -1,13 +1,9 @@
---
title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs
description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices.
-ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
ms.reviewer:
manager: dougeby
-keywords: ["start screen", "start menu"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.topic: article
ms.author: aaroncz
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 110d43b999..0a2038ce7d 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -1,13 +1,9 @@
---
title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10)
description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
-ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
ms.reviewer:
manager: dougeby
-keywords: ["Start layout", "start menu"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 13779d0100..ce8ad34838 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -1,10 +1,7 @@
---
title: Guidelines for choosing an app for assigned access (Windows 10/11)
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
-keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
@@ -46,7 +43,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
## Guidelines for web browsers
-Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
+In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode).
+
+In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website.
@@ -156,6 +155,12 @@ You can create your own web browser Windows app by using the WebView class. Lear
Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
+## Customize your breakout sequence
+
+Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience.
+
+There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used.
+
## App configuration
Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
diff --git a/windows/configuration/images/choose-package.png b/windows/configuration/images/choose-package.png
deleted file mode 100644
index 2bf7a18648..0000000000
Binary files a/windows/configuration/images/choose-package.png and /dev/null differ
diff --git a/windows/configuration/images/oobe.jpg b/windows/configuration/images/oobe.jpg
deleted file mode 100644
index 2e700971c1..0000000000
Binary files a/windows/configuration/images/oobe.jpg and /dev/null differ
diff --git a/windows/configuration/images/oobe.png b/windows/configuration/images/oobe.png
new file mode 100644
index 0000000000..331797c251
Binary files /dev/null and b/windows/configuration/images/oobe.png differ
diff --git a/windows/configuration/images/package.png b/windows/configuration/images/package.png
deleted file mode 100644
index e10cf84f51..0000000000
Binary files a/windows/configuration/images/package.png and /dev/null differ
diff --git a/windows/configuration/images/prov.jpg b/windows/configuration/images/prov.jpg
deleted file mode 100644
index 1593ccb36b..0000000000
Binary files a/windows/configuration/images/prov.jpg and /dev/null differ
diff --git a/windows/configuration/images/provisioning-oobe-choice.png b/windows/configuration/images/provisioning-oobe-choice.png
new file mode 100644
index 0000000000..503fa8f17b
Binary files /dev/null and b/windows/configuration/images/provisioning-oobe-choice.png differ
diff --git a/windows/configuration/images/provisioning-oobe-choose-package.png b/windows/configuration/images/provisioning-oobe-choose-package.png
new file mode 100644
index 0000000000..68b23dae54
Binary files /dev/null and b/windows/configuration/images/provisioning-oobe-choose-package.png differ
diff --git a/windows/configuration/images/provisioning-oobe-installing.png b/windows/configuration/images/provisioning-oobe-installing.png
new file mode 100644
index 0000000000..4b05a90946
Binary files /dev/null and b/windows/configuration/images/provisioning-oobe-installing.png differ
diff --git a/windows/configuration/images/provisioning-runtime-UAC.png b/windows/configuration/images/provisioning-runtime-UAC.png
new file mode 100644
index 0000000000..5e00691b05
Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-UAC.png differ
diff --git a/windows/configuration/images/provisioning-runtime-add-package.png b/windows/configuration/images/provisioning-runtime-add-package.png
new file mode 100644
index 0000000000..542c73fe6e
Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-add-package.png differ
diff --git a/windows/configuration/images/provisioning-runtime-choose-package.png b/windows/configuration/images/provisioning-runtime-choose-package.png
new file mode 100644
index 0000000000..00a8f198a3
Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-choose-package.png differ
diff --git a/windows/configuration/images/provisioning-runtime-click-to-install.png b/windows/configuration/images/provisioning-runtime-click-to-install.png
new file mode 100644
index 0000000000..5e06f26654
Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-click-to-install.png differ
diff --git a/windows/configuration/images/provisioning-runtime-manage-packages.png b/windows/configuration/images/provisioning-runtime-manage-packages.png
new file mode 100644
index 0000000000..657e69b945
Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-manage-packages.png differ
diff --git a/windows/configuration/images/provisioning-runtime-trust.png b/windows/configuration/images/provisioning-runtime-trust.png
new file mode 100644
index 0000000000..50cb98ff3b
Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-trust.png differ
diff --git a/windows/configuration/images/setupmsg.jpg b/windows/configuration/images/setupmsg.jpg
deleted file mode 100644
index 06348dd2b8..0000000000
Binary files a/windows/configuration/images/setupmsg.jpg and /dev/null differ
diff --git a/windows/configuration/images/trust-package.png b/windows/configuration/images/trust-package.png
deleted file mode 100644
index 8a293ea4da..0000000000
Binary files a/windows/configuration/images/trust-package.png and /dev/null differ
diff --git a/windows/configuration/includes/multi-app-kiosk-support-windows11.md b/windows/configuration/includes/multi-app-kiosk-support-windows11.md
index e3b0982b66..efe346ced6 100644
--- a/windows/configuration/includes/multi-app-kiosk-support-windows11.md
+++ b/windows/configuration/includes/multi-app-kiosk-support-windows11.md
@@ -3,7 +3,6 @@ author: aczechowski
ms.author: aaroncz
ms.date: 09/21/2021
ms.reviewer:
-audience: itpro
manager: dougeby
ms.prod: w10
ms.topic: include
diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md
index cd38222026..fda7a6c1da 100644
--- a/windows/configuration/kiosk-additional-reference.md
+++ b/windows/configuration/kiosk-additional-reference.md
@@ -1,14 +1,10 @@
---
title: More kiosk methods and reference information (Windows 10/11)
description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
-ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer: sybruckm
manager: dougeby
ms.author: aaroncz
-keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.topic: reference
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md
index 7c0a77b39e..509e5e3983 100644
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk-mdm-bridge.md
@@ -1,14 +1,10 @@
---
title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11)
description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
-ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer: sybruckm
manager: dougeby
ms.author: aaroncz
-keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index ea9c57c785..c444568fe9 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -5,9 +5,6 @@ manager: dougeby
ms.author: aaroncz
description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: aczechowski
ms.topic: article
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index 6524e3e543..219db257fb 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -1,14 +1,9 @@
---
title: Policies enforced on kiosk devices (Windows 10/11)
description: Learn about the policies enforced on a device when you configure it as a kiosk.
-ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer: sybruckm
manager: dougeby
-keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: edu, security
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 45dec9443a..2712131087 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -1,14 +1,10 @@
---
title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs
description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
-ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer: sybruckm
manager: dougeby
ms.author: aaroncz
-keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 3cd7d04a31..075be3e488 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -1,14 +1,10 @@
---
title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11)
description: Shell Launcher lets you change the default shell that launches when a user signs in to a device.
-ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer: sybruckm
manager: dougeby
ms.author: aaroncz
-keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index e002ead309..7c13c2715e 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -1,14 +1,10 @@
---
title: Set up a single-app kiosk on Windows 10/11
description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education).
-ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer: sybruckm
manager: dougeby
ms.author: aaroncz
-keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
@@ -342,3 +338,8 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a
`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
+
+> [!NOTE]
+> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode.
+
+The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample).
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index cb60660c38..091872a845 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -1,14 +1,9 @@
---
title: Troubleshoot kiosk mode issues (Windows 10/11)
description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
-ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer: sybruckm
manager: dougeby
-keywords: ["lockdown", "app restrictions"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: edu, security
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md
index 934dd1ed77..dfc4d3e91d 100644
--- a/windows/configuration/kiosk-validate.md
+++ b/windows/configuration/kiosk-validate.md
@@ -1,14 +1,10 @@
---
title: Validate kiosk configuration (Windows 10/11)
description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education.
-ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer: sybruckm
manager: dougeby
ms.author: aaroncz
-keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index 7dd54085f1..a5f84dcc40 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -1,14 +1,9 @@
---
title: Assigned Access configuration kiosk XML reference (Windows 10/11)
description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11.
-ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer: sybruckm
manager: dougeby
-keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: edu, security
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
@@ -254,16 +249,40 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
+## Microsoft Edge Kiosk XML Sample
+```xml
+
+
+
+
+
+
+
+
+
+
+ EdgeKioskUser
+
+
+
+
+```
+
## Global Profile Sample XML
Global Profile is supported on:
-- Windows 10 version 2004+
- Windows 11
+- Windows 10, version 2004 and later
-Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
+Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user.
-This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in.
+This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in.
```xml
@@ -642,13 +661,12 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
## XSD for AssignedAccess configuration XML
->[!NOTE]
->Updated for Windows 10, version 1903+.
+> [!NOTE]
+> Updated for Windows 10, version 1903 and later.
-The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release:
+The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release:
```xml
-
+
@@ -670,8 +690,14 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
+
+
+
+
+
+
@@ -680,7 +706,19 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
-
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -781,6 +819,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
+
diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md
index 4fcd915dd1..4552e63e33 100644
--- a/windows/configuration/lock-down-windows-10-applocker.md
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@@ -1,14 +1,9 @@
---
title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10)
description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
-ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer: sybruckm
manager: dougeby
-keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: edu, security
author: aczechowski
ms.localizationpriority: medium
ms.date: 07/30/2018
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index ef2974bbc5..fcc521e9df 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -404,7 +404,7 @@ Group accounts are specified using ``. Nested groups aren't supported
```
-- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in.
+- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
```xml
@@ -544,43 +544,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
### Apply provisioning package to device
-Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
-
->[!TIP]
->In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation.
-
-#### During initial setup, from a USB drive
-
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
- 
-
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
-
- 
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
- 
-
-5. Select **Yes, add it**.
-
- 
-
-#### After setup, from a USB drive, network folder, or SharePoint site
-
-1. Sign in with an admin account.
-2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
+Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
> [!NOTE]
> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
-
-
### Use MDM to deploy the multi-app configuration
Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index 36bf667cc7..caeb98056f 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -1,14 +1,9 @@
---
title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10)
description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
-ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14
ms.reviewer:
manager: dougeby
-keywords: lockdown, embedded
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md
index 2dcf1d588b..6eb41bde06 100644
--- a/windows/configuration/manage-tips-and-suggestions.md
+++ b/windows/configuration/manage-tips-and-suggestions.md
@@ -1,11 +1,7 @@
---
title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10)
description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees.
-keywords: ["device management"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: devices
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index 8149182469..1bd58d5c1e 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -1,15 +1,10 @@
---
title: Manage Wi-Fi Sense in your company (Windows 10)
description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places.
-ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271
ms.reviewer:
manager: dougeby
ms.author: aaroncz
-keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connection"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md
index ffe4a55f6d..a168bce8f6 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/provisioning-apn.md
@@ -1,12 +1,9 @@
---
title: Configure cellular settings for tablets and PCs (Windows 10)
description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles.
-ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
ms.reviewer:
manager: dougeby
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 9147bc6b90..3e0279e5e5 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -1,12 +1,9 @@
---
title: Configuration service providers for IT pros (Windows 10/11)
description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
-ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
ms.reviewer: gkomatsu
manager: dougeby
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 1305b2bb87..cec5065059 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -1,13 +1,9 @@
---
title: Provision PCs with common settings (Windows 10/11)
description: Create a provisioning package to apply common settings to a PC running Windows 10.
-ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
ms.reviewer: gkomatsu
manager: dougeby
-keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index faad3522bb..9d403656ad 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -1,10 +1,7 @@
---
title: Provision PCs with apps and certificates (Windows 10)
description: Create a provisioning package to apply settings to a PC running Windows 10.
-keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index f1b8691117..86ba895398 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,10 +1,7 @@
---
title: Provision PCs with apps (Windows 10/11)
description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
-keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 230570bfa8..97a1f3bd50 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -1,9 +1,7 @@
---
title: Apply a provisioning package (Windows 10/11)
-description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime").
+description: Provisioning packages can be applied to a device during initial setup (OOBE) and after ("runtime").
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
@@ -20,40 +18,82 @@ manager: dougeby
- Windows 10
- Windows 11
-Provisioning packages can be applied to client devices during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime").
->[!NOTE]
+> [!NOTE]
>
> - Applying a provisioning package to a desktop device requires administrator privileges on the device.
> - You can interrupt a long-running provisioning process by pressing ESC.
-## During initial setup, from a USB drive
+> [!TIP]
+> In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation.
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+## During initial setup
- 
+To apply a provisioning package from a USB drive during initial setup:
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+1. Start with a device on the initial setup screen. If the device has gone past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**.
- 
+ :::image type="content" source="../images/oobe.png" alt-text="The first screen when setting up a new PC.":::
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and select **Next**.
+2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
- 
+ - If there is only one provisioning package on the USB drive, the provisioning package is applied. See step 5.
+ - If there is more than one provisioning package on the USB drive, Windows setup will recognize the drive and ask how you want to provision the device. Select **Install provisioning package** and select **Next**.
-4. Select the provisioning package (`.ppkg`) that you want to apply, and select **Next**.
+ :::image type="content" source="../images/provisioning-oobe-choice.png" alt-text="What would you like to do?":::
- 
+3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Yes**.
-5. Select **Yes, add it**.
+ :::image type="content" source="../images/provisioning-oobe-choose-package.png" alt-text="Choose a package.":::
- 
+4. The selected provisioning package will install and apply to the device.
-## After setup, from a USB drive, network folder, or SharePoint site
+ :::image type="content" source="../images/provisioning-oobe-installing.png" alt-text="Setting up your PC.":::
-Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
+5. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device.
-
+## After initial setup
+
+Provisioning packages can be applied after initial setup through Windows settings or by simply double-clicking a provisioning package.
+
+### Windows Settings
+
+1. Insert the USB drive, then navigate to **Settings** > **Accounts** > [**Access work or school**](ms-settings:workplace) > **Add or remove a provisioning package** > **Add a package**.
+
+ :::image type="content" source="../images/provisioning-runtime-manage-packages.png" alt-text="Add or remove a provisioning package.":::
+
+2. Choose the method you want to use, such as **Removable Media**.
+
+ :::image type="content" source="../images/provisioning-runtime-choose-package.png" alt-text="Choose a method.":::
+
+3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Add**.
+
+ :::image type="content" source="../images/provisioning-runtime-add-package.png" alt-text="Select and add a package.":::
+
+4. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**.
+
+ :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?":::
+
+5. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**.
+
+ :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?":::
+
+### Apply Directly
+
+To apply a provisioning package directly, such as from a USB drive, folder, network, or SharePoint site:
+
+1. Navigate to the provisioning package and double-click it to begin the installation.
+
+ :::image type="content" source="../images/provisioning-runtime-click-to-install.png" alt-text="Double-click package to being installation.":::
+
+2. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**.
+
+ :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?":::
+
+3. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**.
+
+ :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?":::
## Related articles
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index 95e51c1316..fbe7aecde9 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -2,8 +2,6 @@
title: Windows Configuration Designer command-line interface (Windows 10/11)
description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index f926e57f98..2852698705 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -2,8 +2,6 @@
title: Create a provisioning package (Windows 10/11)
description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index cc1fff48d3..737cb64b16 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -2,8 +2,6 @@
title: How provisioning works in Windows 10/11
description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 1df2136104..59419bb6b2 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -2,8 +2,6 @@
title: Install Windows Configuration Designer (Windows 10/11)
description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 0987e3f720..65b4475739 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -2,8 +2,6 @@
title: Create a provisioning package with multivariant settings (Windows 10/11)
description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.topic: article
ms.localizationpriority: medium
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index da386db801..b762a1d124 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -1,12 +1,9 @@
---
title: Provisioning packages overview on Windows 10/11
description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
-ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
ms.reviewer: gkomatsu
manager: dougeby
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index 3b6e0300dc..0698178c23 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -2,8 +2,6 @@
title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11)
description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index 0f1b11b953..e768666071 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -2,8 +2,6 @@
title: Use a script to install a desktop app in provisioning packages (Windows 10/11)
description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index 1a6f2d6af3..04665c5f6e 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -2,8 +2,6 @@
title: Uninstall a provisioning package - reverted settings (Windows 10/11)
description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 92a57a02af..a9bfdbcfdf 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -1,10 +1,7 @@
---
title: Set up a shared or guest PC with Windows 10/11
description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios.
-keywords: ["shared pc mode"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
@@ -65,7 +62,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
|:---|:---|
| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings) Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. |
| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in.
Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC.
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account. - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account. - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
-| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. - **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign-off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. - **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** |
| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
| AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
@@ -85,7 +82,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
You can configure Windows to be in shared PC mode in a couple different ways:
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To set up a shared device policy for Windows client in Intune, complete the following steps:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -185,30 +182,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
### Apply the provisioning package
-You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
-
-**During initial setup**
-
-1. Start with a PC on the setup screen.
-
- 
-
-2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
-
- - If there is only one provisioning package on the USB drive, the provisioning package is applied.
-
- - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install.
-
- 
-
-3. Complete the setup process.
-
-
-**After setup**
-
-On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install.
-
-
+Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
> [!NOTE]
> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
@@ -217,7 +191,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign-out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
index 921c556ecf..dff1da75a5 100644
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@@ -1,14 +1,10 @@
---
title: Set up digital signs on Windows 10/11
description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education).
-ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer: sybruckm
manager: dougeby
ms.author: aaroncz
-keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.date: 09/20/2021
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index 4b0658894b..793a35d714 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -2,8 +2,6 @@
title: Troubleshoot Start menu errors
description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index a0d7a0b65a..ffcdeef194 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -1,10 +1,7 @@
---
title: Start layout XML for desktop editions of Windows 10 (Windows 10)
description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
-keywords: ["start screen"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 5699938be7..20c333fb2d 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -2,9 +2,6 @@
title: Add image for secondary Microsoft Edge tiles (Windows 10)
description: Add app tiles on Windows 10 that's a secondary tile.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 40fc295016..ed2728abc4 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -1,13 +1,9 @@
---
title: Configure access to Microsoft Store (Windows 10)
description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
-ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
ms.reviewer:
manager: dougeby
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: store, mobile
author: aczechowski
ms.author: aaroncz
ms.topic: conceptual
diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md
index 30c40db968..30ef22ea5a 100644
--- a/windows/configuration/supported-csp-start-menu-layout-windows.md
+++ b/windows/configuration/supported-csp-start-menu-layout-windows.md
@@ -1,14 +1,10 @@
---
title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs
description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu.
-ms.assetid:
manager: dougeby
ms.author: aaroncz
ms.reviewer: ericpapa
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.localizationpriority: medium
---
diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md
index 0891f70e8c..40ada8b099 100644
--- a/windows/configuration/supported-csp-taskbar-windows.md
+++ b/windows/configuration/supported-csp-taskbar-windows.md
@@ -1,14 +1,10 @@
---
title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs
description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar.
-ms.assetid:
manager: dougeby
ms.author: aaroncz
ms.reviewer: chataylo
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
author: aczechowski
ms.localizationpriority: medium
---
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index 5c0961785e..4f970289fa 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -2,9 +2,6 @@
title: Administering UE-V with Windows PowerShell and WMI
description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Administering UE-V with Windows PowerShell and WMI
**Applies to**
diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
index f2456dee1a..7bf2b82260 100644
--- a/windows/configuration/ue-v/uev-administering-uev.md
+++ b/windows/configuration/ue-v/uev-administering-uev.md
@@ -2,9 +2,6 @@
title: Administering UE-V
description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Administering UE-V
**Applies to**
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 50a4533c63..a3d3387c57 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -2,9 +2,6 @@
title: Application Template Schema Reference for UE-V
description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Application Template Schema Reference for UE-V
**Applies to**
@@ -433,8 +429,8 @@ Application is a container for settings that apply to a particular application.
|LocalizedNames|An optional name displayed in the UI, localized by a language locale.|
|LocalizedDescriptions|An optional template description localized by a language locale.|
|Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).|
-|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.|
-|DeferToOffice365|Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
+|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.|
+|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.|
|Processes|A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).|
|Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21)".|
@@ -452,8 +448,8 @@ Common is similar to an Application element, but it is always associated with tw
|LocalizedNames|An optional name displayed in the UI, localized by a language locale.|
|LocalizedDescriptions|An optional template description localized by a language locale.|
|Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).|
-|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.|
-|DeferToOffice365|Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
+|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.|
+|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.|
|Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21).|
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index 7b1980ded7..61ca2b8c88 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -2,9 +2,6 @@
title: Changing the Frequency of UE-V Scheduled Tasks
description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Changing the Frequency of UE-V Scheduled Tasks
**Applies to**
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index 8aa4719d90..249336440f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -2,9 +2,6 @@
title: Configuring UE-V with Group Policy Objects
description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Configuring UE-V with Group Policy Objects
**Applies to**
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index fa9dda05ab..b8e6955c3d 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -2,9 +2,6 @@
title: Configuring UE-V with Microsoft Endpoint Configuration Manager
description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Endpoint Configuration Manager.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Configuring UE-V with Microsoft Endpoint Manager
**Applies to**
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index 1b6513b56d..22cfb858c0 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -2,9 +2,6 @@
title: Deploy required UE-V features
description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example a network share that stores and retrieves user settings.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 21f2749843..fad99aed73 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -2,9 +2,6 @@
title: Use UE-V with custom applications
description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
index 9074ddc234..75fab30ab1 100644
--- a/windows/configuration/ue-v/uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-for-windows.md
@@ -2,9 +2,6 @@
title: User Experience Virtualization for Windows 10, version 1607
description: Overview of User Experience Virtualization for Windows 10, version 1607
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 05/02/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index 2bb02af5e6..39bbfe1418 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -2,9 +2,6 @@
title: Get Started with UE-V
description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 03/08/2018
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 9ed8904dec..1aa6e9f43e 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -2,9 +2,6 @@
title: Manage Administrative Backup and Restore in UE-V
description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Manage Administrative Backup and Restore in UE-V
**Applies to**
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index 4533fb9eb7..a8f2d63d6f 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -2,9 +2,6 @@
title: Manage Configurations for UE-V
description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Manage Configurations for UE-V
**Applies to**
diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
index b36faf10c5..ba5bebadea 100644
--- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
@@ -2,9 +2,6 @@
title: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
**Applies to**
diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
index d111d768eb..ab70b3209a 100644
--- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
@@ -2,9 +2,6 @@
title: Manage UE-V Service and Packages with Windows PowerShell and WMI
description: Managing the UE-V service and packages with Windows PowerShell and WMI
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Managing the UE-V service and packages with Windows PowerShell and WMI
**Applies to**
diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
index 026b5fd10f..eaa34a41eb 100644
--- a/windows/configuration/ue-v/uev-migrating-settings-packages.md
+++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md
@@ -2,9 +2,6 @@
title: Migrating UE-V settings packages
description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Migrating UE-V settings packages
**Applies to**
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index b2b109d6b6..38b78b9d47 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -2,9 +2,6 @@
title: Prepare a UE-V Deployment
description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index fdc838991d..67badc0dbf 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -2,9 +2,6 @@
title: User Experience Virtualization (UE-V) Release Notes
description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that is not included in the UE-V documentation.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
index d692ba9f46..b7dc73d2d0 100644
--- a/windows/configuration/ue-v/uev-security-considerations.md
+++ b/windows/configuration/ue-v/uev-security-considerations.md
@@ -2,9 +2,6 @@
title: Security Considerations for UE-V
description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V).
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Security Considerations for UE-V
**Applies to**
diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
index 6eea46080c..31ae2008ce 100644
--- a/windows/configuration/ue-v/uev-sync-methods.md
+++ b/windows/configuration/ue-v/uev-sync-methods.md
@@ -2,9 +2,6 @@
title: Sync Methods for UE-V
description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
index 414b095f83..a396907df5 100644
--- a/windows/configuration/ue-v/uev-sync-trigger-events.md
+++ b/windows/configuration/ue-v/uev-sync-trigger-events.md
@@ -2,9 +2,6 @@
title: Sync Trigger Events for UE-V
description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index ea4f3d49bd..c2a81519f1 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -2,9 +2,6 @@
title: Synchronizing Microsoft Office with UE-V
description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Synchronizing Office with UE-V
**Applies to**
diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md
index cac53df19c..f5a9059d3e 100644
--- a/windows/configuration/ue-v/uev-technical-reference.md
+++ b/windows/configuration/ue-v/uev-technical-reference.md
@@ -2,9 +2,6 @@
title: Technical Reference for UE-V
description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V).
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Technical Reference for UE-V
**Applies to**
diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md
index a940df7833..3bf804b17d 100644
--- a/windows/configuration/ue-v/uev-troubleshooting.md
+++ b/windows/configuration/ue-v/uev-troubleshooting.md
@@ -2,9 +2,6 @@
title: Troubleshooting UE-V
description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
@@ -13,7 +10,6 @@ ms.author: aaroncz
ms.topic: article
---
-
# Troubleshooting UE-V
**Applies to**
diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
index 7cae468ca9..226fe3c440 100644
--- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
+++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
@@ -2,9 +2,6 @@
title: Upgrade to UE-V for Windows 10
description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
index fb8d02a2a7..59e4e1d213 100644
--- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
+++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
@@ -2,9 +2,6 @@
title: Using UE-V with Application Virtualization applications
description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V).
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index 3240b7bcfa..89fb778fef 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -2,9 +2,6 @@
title: What's New in UE-V for Windows 10, version 1607
description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
index bbbe078c55..d0f06bd548 100644
--- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
+++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
@@ -2,9 +2,6 @@
title: Working with Custom UE-V Templates and the UE-V Template Generator
description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
author: aczechowski
-ms.pagetype: mdop, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md
index ac4bac4e80..98aa47fcb1 100644
--- a/windows/configuration/wcd/wcd-accountmanagement.md
+++ b/windows/configuration/wcd/wcd-accountmanagement.md
@@ -2,8 +2,6 @@
title: AccountManagement (Windows 10)
description: This section describes the account management settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 25d47941a7..94e31def8a 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -2,8 +2,6 @@
title: Accounts (Windows 10)
description: This section describes the account settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 54f74aba1c..80e83844b0 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -2,8 +2,6 @@
title: ADMXIngestion (Windows 10)
description: This section describes the ADMXIngestion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
@@ -15,21 +13,59 @@ manager: dougeby
# ADMXIngestion (Windows Configuration Designer reference)
-Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
+Starting in Windows 10, version 1703, you can import (*ingest*) Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
- The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file.
- The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
>[!IMPORTANT]
->Only per-device policies can be set using a provisioning package.
+>Only device scope policies (class="Machine" or class="Both") can be set using a provisioning package.
## Applies to
-| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Enterprise |
| --- | :---: | :---: | :---: | :---: |
-| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | |
-| [ConfigOperations](#configoperations) | ✔️ | | | |
+| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | ✔️ |
+| [ConfigOperations](#configoperations) | ✔️ | | | ✔️ |
+
+## ConfigOperations
+
+Use **ConfigOperations** to import ADMX policies from an ADMX file.
+
+1. Enter an app name, and then click **Add**.
+
+ This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Chromium Edge, enter an app name.
+
+ Example, `MSEdgeEfficiencyMode`
+
+2. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
+
+ The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add.
+
+3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+
+ The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future.
+
+ Example, `MSEdgeEfficiencyMode`
+
+ >[!NOTE]
+ >Keeping the AdmxFileUid and AppName the same will help prevent authorizing errors.
+
+4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+
+ >[!NOTE]
+ >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).
+
+ Example, EfficiencyMode
+ ```XML
+
+ ```
+
+5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
+
+
+
## ConfigADMXInstalledPolicy
@@ -40,59 +76,121 @@ In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for tha
1. Enter an area name, and then click **Add**. The structure of the area name is the following:
- `AppName (from ConfigOperations)`~`SettingType`~`category name from ADMX`
+ `~~`
See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example.
- Example: `Office16~Policy~L_MicrosoftOfficemachine~L_Updates`
+ Example: `MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance`
-2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. For example, `L_HideEnableDisableUpdates`.
-3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. For example, ``.
+2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**.
-## ConfigOperations
+ Example, `EfficiencyMode`.
-Use **ConfigOperations** to import an ADMX file or policies from an ADMX file.
+3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field.
-1. Enter an app name, and then click **Add**.
+ Example, ``.
- This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Office 16, enter an app name of **Office 16**.
-2. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
+## Category and policy in ADMX
- The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add.
-
-3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+The following samples show the ADMX file for Chromium Edge used in the examples in the procedures above. The first sample highlights the category names.
- The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future.
+```XML
+
+
+
+
+
+
+```
+
-4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+The next sample highlights the specific policy.
- >[!NOTE]
- >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).
-
-5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
+```XML
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
-
## Convert multi-line to single line
Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**.
```PS
-$path="file path"
-(Get-Content $admxFile -Raw).Replace("`r`n","") | Set-Content $path -Force
+$outputFile = "output.admx"
+$inputFile = "input.admx"
+(Get-Content $inputFile -Raw).Replace("`r`n","") | Set-Content $outputFile -Force
```
-## Category and policy in ADMX
-
-The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
-
-
-
-The next image highlights the specific policy.
-
-
-
+## Configuration Samples
+Example: Edge Efficiency Mode
+```XML
+
+
+
+ {d1ab1e3e-6e6d-4bd5-b35b-34cca18d2e16}
+ MSEdgeEfficiencyMode
+ 1.1
+ OEM
+ 0
+
+
+
+
+
+
+
+
+
+ <enabled/><data id="EfficiencyMode" value="2"/>
+
+
+
+
+
+
+
+
+ <?xml version="1.0" ?><policyDefinitions revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions"> <!--microsoft_edge version: 96.0.1054.62--> <policyNamespaces> <target namespace="Microsoft.Policies.Edge" prefix="microsoft_edge"/> <using namespace="Microsoft.Policies.Windows" prefix="windows"/> </policyNamespaces> <resources minRequiredRevision="1.0"/> <supportedOn> <definitions> <definition displayName="$(string.SUPPORTED_WIN7_V96)" name="SUPPORTED_WIN7_V96"/> </definitions> </supportedOn> <categories> <category displayName="$(string.microsoft_edge)" name="microsoft_edge"/> <category displayName="$(string.Performance_group)" name="Performance"> <parentCategory ref="microsoft_edge"/> </category> </categories> <policies> <policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)"> <parentCategory ref="Performance"/> <supportedOn ref="SUPPORTED_WIN7_V96"/> <elements> <enum id="EfficiencyMode" valueName="EfficiencyMode"> <item displayName="$(string.EfficiencyMode_AlwaysActive)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.EfficiencyMode_NeverActive)"> <value> <decimal value="1"/> </value> </item> <item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)"> <value> <decimal value="2"/> </value> </item> <item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)"> <value> <decimal value="3"/> </value> </item> </enum> </elements> </policy> </policies></policyDefinitions>
+
+
+
+
+
+
+
+
+
+
+```
## Related topics
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index 68825227e9..f7c184e359 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -2,8 +2,6 @@
title: AssignedAccess (Windows 10)
description: This section describes the AssignedAccess setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index 5df5b2dfcd..5ebc1cccde 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -2,8 +2,6 @@
title: Browser (Windows 10)
description: This section describes the Browser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index 6c94aa8796..502a0b3ade 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -2,8 +2,6 @@
title: CellCore (Windows 10)
description: This section describes the CellCore settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index f2ba57eae2..d0a091f53f 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -4,8 +4,6 @@ ms.reviewer:
manager: dougeby
description: This section describes the Cellular settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
index 668d0bb304..a83e01ed1d 100644
--- a/windows/configuration/wcd/wcd-certificates.md
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -2,8 +2,6 @@
title: Certificates (Windows 10)
description: This section describes the Certificates settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md
index d196972424..7fae1e2c06 100644
--- a/windows/configuration/wcd/wcd-changes.md
+++ b/windows/configuration/wcd/wcd-changes.md
@@ -4,8 +4,6 @@ ms.reviewer:
manager: dougeby
description: This section describes the changes to settings in Windows Configuration Designer in Windows 10, version 1809.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
index 090081972f..fdcbf1dd2a 100644
--- a/windows/configuration/wcd/wcd-cleanpc.md
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -2,8 +2,6 @@
title: CleanPC (Windows 10)
description: This section describes the CleanPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index e71332a303..24465ae5a5 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -2,8 +2,6 @@
title: Connections (Windows 10)
description: This section describes the Connections settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index 4f9bd01b6e..307aab14ca 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -2,8 +2,6 @@
title: ConnectivityProfiles (Windows 10)
description: This section describes the ConnectivityProfile settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
index e09bfedbeb..2d326165c7 100644
--- a/windows/configuration/wcd/wcd-countryandregion.md
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -2,8 +2,6 @@
title: CountryAndRegion (Windows 10)
description: This section describes the CountryAndRegion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index e8ea46b7dc..dccfa2bfd8 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -2,8 +2,6 @@
title: DesktopBackgroundAndColors (Windows 10)
description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index 6d1c176a3d..62715da105 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -2,8 +2,6 @@
title: DeveloperSetup (Windows 10)
description: This section describes the DeveloperSetup settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
index 8a4fe3064e..6a101c9fd1 100644
--- a/windows/configuration/wcd/wcd-deviceformfactor.md
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -2,8 +2,6 @@
title: DeviceFormFactor (Windows 10)
description: This section describes the DeviceFormFactor setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 32484edbd9..a5bb59742b 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -2,8 +2,6 @@
title: DeviceManagement (Windows 10)
description: This section describes the DeviceManagement setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md
index 440ed6459b..83bb19007c 100644
--- a/windows/configuration/wcd/wcd-deviceupdatecenter.md
+++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md
@@ -2,8 +2,6 @@
title: DeviceUpdateCenter (Windows 10)
description: This section describes the DeviceUpdateCenter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index ed596c0b34..1154e1643c 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -2,8 +2,6 @@
title: DMClient (Windows 10)
description: This section describes the DMClient setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index 9c2e199008..114234aa5d 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -2,8 +2,6 @@
title: EditionUpgrade (Windows 10)
description: This section describes the EditionUpgrade settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
index 574f4d2a0d..a31d1cddcb 100644
--- a/windows/configuration/wcd/wcd-firewallconfiguration.md
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -2,8 +2,6 @@
title: FirewallConfiguration (Windows 10)
description: This section describes the FirewallConfiguration setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index a830d6925b..025c70a9b5 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -2,8 +2,6 @@
title: FirstExperience (Windows 10)
description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
index 1008dd3172..e45a67e31a 100644
--- a/windows/configuration/wcd/wcd-folders.md
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -2,8 +2,6 @@
title: Folders (Windows 10)
description: This section describes the Folders settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
index cf3eb21000..db0317ff32 100644
--- a/windows/configuration/wcd/wcd-hotspot.md
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -2,8 +2,6 @@
title: HotSpot (Windows 10)
description: This section describes the HotSpot settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md
index 9e653528de..0f38069d39 100644
--- a/windows/configuration/wcd/wcd-kioskbrowser.md
+++ b/windows/configuration/wcd/wcd-kioskbrowser.md
@@ -2,8 +2,6 @@
title: KioskBrowser (Windows 10)
description: This section describes the KioskBrowser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
index 8342ca38d7..5e1385d91a 100644
--- a/windows/configuration/wcd/wcd-licensing.md
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -2,8 +2,6 @@
title: Licensing (Windows 10)
description: This section describes the Licensing settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md
index 3e0a47a230..65d0cf04b9 100644
--- a/windows/configuration/wcd/wcd-location.md
+++ b/windows/configuration/wcd/wcd-location.md
@@ -2,8 +2,6 @@
title: Location (Windows 10)
description: This section describes the Location settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index cdb5ff8a79..fa05e3ac5d 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -2,8 +2,6 @@
title: Maps (Windows 10)
description: This section describes the Maps settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index e16622e753..20e53f7d72 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -2,8 +2,6 @@
title: NetworkProxy (Windows 10)
description: This section describes the NetworkProxy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
index 24179089bf..46d1804745 100644
--- a/windows/configuration/wcd/wcd-networkqospolicy.md
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -2,8 +2,6 @@
title: NetworkQoSPolicy (Windows 10)
description: This section describes the NetworkQoSPolicy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index 7ab4e1b5f7..f885d27c0e 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -4,8 +4,6 @@ ms.reviewer:
manager: dougeby
description: This section describes the OOBE settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
index 6bfb8c53ab..ecd6a488c9 100644
--- a/windows/configuration/wcd/wcd-personalization.md
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -2,8 +2,6 @@
title: Personalization (Windows 10)
description: This section describes the Personalization settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index c894bdc784..fddfc8e061 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -4,8 +4,6 @@ ms.reviewer:
manager: dougeby
description: This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md
index ff0d8ba5c4..827c8bad55 100644
--- a/windows/configuration/wcd/wcd-privacy.md
+++ b/windows/configuration/wcd/wcd-privacy.md
@@ -2,8 +2,6 @@
title: Privacy (Windows 10)
description: This section describes the Privacy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index 353d7fc8d7..fe6ca80426 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -2,8 +2,6 @@
title: ProvisioningCommands (Windows 10)
description: This section describes the ProvisioningCommands settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index e92b9ff5e9..f3035e6415 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -2,8 +2,6 @@
title: SharedPC (Windows 10)
description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index 18f8ce37ce..c3e15932b1 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -2,8 +2,6 @@
title: SMISettings (Windows 10)
description: This section describes the SMISettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index c06113474f..04bbf138fd 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -2,8 +2,6 @@
title: Start (Windows 10)
description: This section describes the Start settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
index 97b161c250..ad8220553a 100644
--- a/windows/configuration/wcd/wcd-startupapp.md
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -2,8 +2,6 @@
title: StartupApp (Windows 10)
description: This section describes the StartupApp settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
index 4e26559f04..dba45f6c55 100644
--- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -2,8 +2,6 @@
title: StartupBackgroundTasks (Windows 10)
description: This section describes the StartupBackgroundTasks settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
index 4ef3ca8adf..83269cd2b6 100644
--- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
+++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
@@ -2,8 +2,6 @@
title: StorageD3InModernStandby (Windows 10)
description: This section describes the StorageD3InModernStandby settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
index 227a05ff2f..4d3996dcfd 100644
--- a/windows/configuration/wcd/wcd-surfacehubmanagement.md
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -2,8 +2,6 @@
title: SurfaceHubManagement (Windows 10)
description: This section describes the SurfaceHubManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 7365638aa4..7c8c7a37e3 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -2,8 +2,6 @@
title: TabletMode (Windows 10)
description: This section describes the TabletMode settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index 0fc360651c..b4843fdb7b 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -2,8 +2,6 @@
title: TakeATest (Windows 10)
description: This section describes the TakeATest settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md
index 19dc4a9203..c2a766d169 100644
--- a/windows/configuration/wcd/wcd-time.md
+++ b/windows/configuration/wcd/wcd-time.md
@@ -2,8 +2,6 @@
title: Time (Windows 10)
description: This section describes the Time settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index 7a54c8d4a2..8c8c8648db 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -2,8 +2,6 @@
title: UnifiedWriteFilter (Windows 10)
description: This section describes the UnifiedWriteFilter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 3eec0e5b18..f62e4299e3 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -2,8 +2,6 @@
title: UniversalAppInstall (Windows 10)
description: This section describes the UniversalAppInstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 38594be3eb..690bfc3ea4 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -2,8 +2,6 @@
title: UniversalAppUninstall (Windows 10)
description: This section describes the UniversalAppUninstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index 946006edef..1c9909507e 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -2,8 +2,6 @@
title: UsbErrorsOEMOverride (Windows 10)
description: This section describes the UsbErrorsOEMOverride settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index 057f4eb2ea..676df2efed 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -2,8 +2,6 @@
title: WeakCharger (Windows 10)
description: This section describes the WeakCharger settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index 9549606c41..f42e48ac49 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -2,8 +2,6 @@
title: WindowsHelloForBusiness (Windows 10)
description: This section describes the Windows Hello for Business settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index 37390601a1..51e2f55a43 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -2,8 +2,6 @@
title: WindowsTeamSettings (Windows 10)
description: This section describes the WindowsTeamSettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index 810a9d27b4..2709497450 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -4,8 +4,6 @@ ms.reviewer:
manager: dougeby
description: This section describes the WLAN settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index a61acc7311..ee8d4e0bc6 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -2,8 +2,6 @@
title: Workplace (Windows 10)
description: This section describes the Workplace settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index a0de3514c7..6fb2f329ca 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -2,8 +2,6 @@
title: Windows Configuration Designer provisioning settings (Windows 10)
description: This section describes the settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md
index d2a8850284..3f9a6310d2 100644
--- a/windows/configuration/windows-10-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-10-accessibility-for-ITPros.md
@@ -3,8 +3,6 @@ title: Windows 10 accessibility information for IT Pros (Windows 10)
description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them
keywords: accessibility, settings, vision, hearing, physical, cognition, assistive
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
@@ -89,3 +87,5 @@ This topic helps IT administrators learn about built-in accessibility features,
[Inclusive Design](https://www.microsoft.com/design/inclusive)
+[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)
+
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 917fc0e4f1..4965185168 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -1,13 +1,9 @@
---
title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs
description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
-ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
ms.reviewer:
manager: dougeby
-keywords: ["start screen", "start menu"]
ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 962bb26a07..88baf2f9e0 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -1,13 +1,9 @@
---
title: Configure Windows Spotlight on the lock screen (Windows 10)
description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
-ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
ms.reviewer:
manager: dougeby
-keywords: ["lockscreen"]
ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
ms.topic: article
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 0e700e4349..cbeb91ed35 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -184,51 +184,86 @@
href: update/deploy-updates-intune.md
- name: Monitor Windows client updates
items:
- - name: Monitor Delivery Optimization
- href: do/waas-delivery-optimization-setup.md#monitor-delivery-optimization
- - name: Monitor Windows Updates
+ - name: Monitor with Update Compliance (preview version)
+ href: update/update-compliance-v2-overview.md
+ items:
+ - name: Enable Update Compliance (preview)
+ items:
+ - name: Update Compliance prerequisites
+ href: update/update-compliance-v2-prerequisites.md
+ - name: Enable the Update Compliance solution
+ href: update/update-compliance-v2-enable.md
+ - name: Configure clients with a script
+ href: update/update-compliance-v2-configuration-script.md
+ - name: Configure clients manually
+ href: update/update-compliance-v2-configuration-manual.md
+ - name: Configure clients with Microsoft Endpoint Manager
+ href: update/update-compliance-v2-configuration-mem.md
+ - name: Use Update Compliance (preview)
+ items:
+ - name: Use Update Compliance
+ href: update/update-compliance-v2-use.md
+ - name: Software updates in the Microsoft admin center (preview)
+ href: update/update-status-admin-center.md
+ - name: Update Compliance schema reference (preview)
items:
- - name: Monitor Windows Updates with Update Compliance
- href: update/update-compliance-monitor.md
- - name: Get started
- items:
- - name: Get started with Update Compliance
- href: update/update-compliance-get-started.md
- - name: Update Compliance configuration script
- href: update/update-compliance-configuration-script.md
- - name: Manually configuring devices for Update Compliance
- href: update/update-compliance-configuration-manual.md
- - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager
- href: update/update-compliance-configuration-mem.md
- - name: Update Compliance monitoring
- items:
- - name: Use Update Compliance
- href: update/update-compliance-using.md
- - name: Need attention report
- href: update/update-compliance-need-attention.md
- - name: Security update status report
- href: update/update-compliance-security-update-status.md
- - name: Feature update status report
- href: update/update-compliance-feature-update-status.md
- - name: Safeguard holds report
- href: update/update-compliance-safeguard-holds.md
- - name: Delivery Optimization in Update Compliance
- href: update/update-compliance-delivery-optimization.md
- - name: Data handling and privacy in Update Compliance
- href: update/update-compliance-privacy.md
- - name: Update Compliance schema reference
- href: update/update-compliance-schema.md
- items:
- - name: WaaSUpdateStatus
- href: update/update-compliance-schema-waasupdatestatus.md
- - name: WaaSInsiderStatus
- href: update/update-compliance-schema-waasinsiderstatus.md
- - name: WaaSDepoymentStatus
- href: update/update-compliance-schema-waasdeploymentstatus.md
- - name: WUDOStatus
- href: update/update-compliance-schema-wudostatus.md
- - name: WUDOAggregatedStatus
- href: update/update-compliance-schema-wudoaggregatedstatus.md
+ - name: Update Compliance schema reference
+ href: update/update-compliance-v2-schema.md
+ - name: UCClient
+ href: update/update-compliance-v2-schema-ucclient.md
+ - name: UCClientReadinessStatus
+ href: update/update-compliance-v2-schema-ucclientreadinessstatus.md
+ - name: UCClientUpdateStatus
+ href: update/update-compliance-v2-schema-ucclientupdatestatus.md
+ - name: UCDeviceAlert
+ href: update/update-compliance-v2-schema-ucdevicealert.md
+ - name: UCServiceUpdateStatus
+ href: update/update-compliance-v2-schema-ucserviceupdatestatus.md
+ - name: UCUpdateAlert
+ href: update/update-compliance-v2-schema-ucupdatealert.md
+ - name: Monitor updates with Update Compliance
+ href: update/update-compliance-monitor.md
+ items:
+ - name: Get started
+ items:
+ - name: Get started with Update Compliance
+ href: update/update-compliance-get-started.md
+ - name: Update Compliance configuration script
+ href: update/update-compliance-configuration-script.md
+ - name: Manually configuring devices for Update Compliance
+ href: update/update-compliance-configuration-manual.md
+ - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager
+ href: update/update-compliance-configuration-mem.md
+ - name: Update Compliance monitoring
+ items:
+ - name: Use Update Compliance
+ href: update/update-compliance-using.md
+ - name: Need attention report
+ href: update/update-compliance-need-attention.md
+ - name: Security update status report
+ href: update/update-compliance-security-update-status.md
+ - name: Feature update status report
+ href: update/update-compliance-feature-update-status.md
+ - name: Safeguard holds report
+ href: update/update-compliance-safeguard-holds.md
+ - name: Delivery Optimization in Update Compliance
+ href: update/update-compliance-delivery-optimization.md
+ - name: Data handling and privacy in Update Compliance
+ href: update/update-compliance-privacy.md
+ - name: Schema reference
+ items:
+ - name: Update Compliance schema reference
+ href: update/update-compliance-schema.md
+ - name: WaaSUpdateStatus
+ href: update/update-compliance-schema-waasupdatestatus.md
+ - name: WaaSInsiderStatus
+ href: update/update-compliance-schema-waasinsiderstatus.md
+ - name: WaaSDepoymentStatus
+ href: update/update-compliance-schema-waasdeploymentstatus.md
+ - name: WUDOStatus
+ href: update/update-compliance-schema-wudostatus.md
+ - name: WUDOAggregatedStatus
+ href: update/update-compliance-schema-wudoaggregatedstatus.md
- name: Troubleshooting
items:
- name: Resolve upgrade errors
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 074b1f2d92..e1650926b3 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/imcc02.png
index 351dad7325..151fa69ed7 100644
Binary files a/windows/deployment/do/images/imcc02.png and b/windows/deployment/do/images/imcc02.png differ
diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/imcc10.png
index e5da041358..53d2773ce6 100644
Binary files a/windows/deployment/do/images/imcc10.png and b/windows/deployment/do/images/imcc10.png differ
diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/imcc11.png
index 9ffaac6072..bf45500aba 100644
Binary files a/windows/deployment/do/images/imcc11.png and b/windows/deployment/do/images/imcc11.png differ
diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/imcc12.png
index fcb5d40a45..d776cb5913 100644
Binary files a/windows/deployment/do/images/imcc12.png and b/windows/deployment/do/images/imcc12.png differ
diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/imcc13.png
index 3d2a566c8b..feee2d0e9c 100644
Binary files a/windows/deployment/do/images/imcc13.png and b/windows/deployment/do/images/imcc13.png differ
diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/imcc14.png
index 627d496b4c..59dc405046 100644
Binary files a/windows/deployment/do/images/imcc14.png and b/windows/deployment/do/images/imcc14.png differ
diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/imcc17.png
index ac6b5be124..f6b0ffcad7 100644
Binary files a/windows/deployment/do/images/imcc17.png and b/windows/deployment/do/images/imcc17.png differ
diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/imcc18.png
index aa818361eb..5b89bfe31a 100644
Binary files a/windows/deployment/do/images/imcc18.png and b/windows/deployment/do/images/imcc18.png differ
diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/imcc19.png
index 2a70b46b11..ead9d1c383 100644
Binary files a/windows/deployment/do/images/imcc19.png and b/windows/deployment/do/images/imcc19.png differ
diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/imcc26.png
index c46a7e6363..b64e3849dc 100644
Binary files a/windows/deployment/do/images/imcc26.png and b/windows/deployment/do/images/imcc26.png differ
diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/imcc27.png
index 01076b3ae5..c37713364f 100644
Binary files a/windows/deployment/do/images/imcc27.png and b/windows/deployment/do/images/imcc27.png differ
diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/imcc28.png
index a7aa7eecd7..cc99b61638 100644
Binary files a/windows/deployment/do/images/imcc28.png and b/windows/deployment/do/images/imcc28.png differ
diff --git a/windows/deployment/do/images/imcc29.png b/windows/deployment/do/images/imcc29.png
deleted file mode 100644
index 2291487e5b..0000000000
Binary files a/windows/deployment/do/images/imcc29.png and /dev/null differ
diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/imcc30.png
index 8cabce52c8..42301d5c4c 100644
Binary files a/windows/deployment/do/images/imcc30.png and b/windows/deployment/do/images/imcc30.png differ
diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png
new file mode 100644
index 0000000000..c40ab0c5c9
Binary files /dev/null and b/windows/deployment/do/images/imcc54.png differ
diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/imcc55.PNG
new file mode 100644
index 0000000000..2875d4d56e
Binary files /dev/null and b/windows/deployment/do/images/imcc55.PNG differ
diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
new file mode 100644
index 0000000000..811b6b5a0c
--- /dev/null
+++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
@@ -0,0 +1,162 @@
+---
+author: mestew
+ms.author: mstewart
+manager: dougeby
+ms.prod: w10
+ms.collection: M365-modern-desktop
+ms.mktglfcycl: deploy
+audience: itpro
+ms.topic: include
+ms.date: 04/06/2022
+ms.localizationpriority: medium
+---
+
+
+## Monitor Delivery Optimization
+
+### Windows PowerShell cmdlets
+
+**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization.
+
+#### Analyze usage
+
+`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs.
+
+| Key | Value |
+| --- | --- |
+| File ID | A GUID that identifies the file being processed |
+| FileSize | Size of the file |
+| FileSizeInCache | Size of the file in the cache |
+| TotalBytesDownloaded | The number of bytes from any source downloaded so far |
+| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
+| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
+| BytesfromHTTP | Total number of bytes received over HTTP |
+| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
+| Priority | Priority of the download; values are **foreground** or **background** |
+| BytesFromCacheServer | Total number of bytes received from cache server |
+| BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
+| BytesFromGroupPeers | Total number of bytes received from peers found in the group |
+| BytesFromInternetPeers | Total number of bytes received from internet peers |
+| BytesToLanPeers | Total number of bytes delivered from peers found on the LAN |
+| BytesToGroupPeers | Total number of bytes delivered from peers found in the group |
+| BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN |
+| DownloadDuration | Total download time in seconds |
+| HttpConnectionCount | |
+| LanConnectionCount | |
+| GroupConnectionCount | |
+| InternetConnectionCount | |
+| DownloadMode | |
+| SourceURL | Http source for the file |
+| CacheHost | IP address for the cache server |
+| NumPeers | Indicates the total number of peers returned from the service. |
+| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. |
+| ExpireOn | The target expiration date and time for the file. |
+| IsPinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |
+
+`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
+
+| Key | Value |
+| --- | --- |
+| FilesDownloaded | Number of files downloaded |
+| FilesUploaded | Number of files uploaded |
+| Files | |
+| TotalBytesDownloaded | Total bytes downloaded |
+| TotalBytesUploaded | Total bytes uploaded |
+| AverageDownloadSize | Average transfer size (download); that is, the number bytes downloaded divided by the number of files |
+| AverageUploadSize | Average transfer size (upload); the number of bytes uploaded divided by the number of files |
+| DownloadMode | Delivery Optimization Download mode used to deliver file |
+| CacheSizeBytes | |
+| TotalDiskBytes | |
+| AvailableDiskBytes | |
+| CpuUsagePct | |
+| MemUsageKB | |
+| NumberOfPeers | |
+| CacheHostConnections | |
+| CdnConnections | |
+| LanConnections | |
+| LinkLocalConnections | |
+| GroupConnections | |
+| InternetConnections | |
+| DownlinkBps | |
+| DownlinkUsageBps | |
+| UplinkBps | |
+| UplinkUsageBps | |
+| ForegroundDownloadRatePct | |
+| BackgroundDownloadRatePct | |
+| UploadRatePct | |
+| UplinkUsageBps | |
+| ForegroundDownloadRatePct | |
+| BackgroundDownloadRatePct | |
+| UploadRatePct | |
+| UploadCount | |
+| ForegroundDownloadCount | |
+| ForegroundDownloadsPending | |
+| BackgroundDownloadCount | |
+| BackgroundDownloadsPending | |
+
+Using the `-Verbose` option returns additional information:
+
+- Bytes from peers (per type)
+- Bytes from CDN (the number of bytes received over HTTP)
+- Average number of peer connections per download
+
+**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
+
+Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
+
+#### Manage the Delivery Optimization cache
+
+**Starting in Windows 10, version 1903:**
+
+`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time.
+
+`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache.
+
+You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3.
+
+`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation.
+
+`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are reached. The file is included in the cache quota calculation.
+
+`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet:
+
+- `-FileID` specifies a particular file to delete.
+- `-IncludePinnedFiles` deletes all files that are pinned.
+- `-Force` deletes the cache with no prompts.
+
+#### Work with Delivery Optimization logs
+
+**Starting in Windows 10, version 2004:**
+
+- `Enable-DeliveryOptimizationVerboseLogs`
+- `Disable-DeliveryOptimizationVerboseLogs`
+
+- `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
+
+With no options, this cmdlet returns these data:
+
+- total number of files
+- number of foreground files
+- minimum file size for it to be cached
+- number of eligible (larger than the minimum size for peering) files
+- number of files that found peers
+- number of peering files (the number of files that got at least 1 byte from peers)
+- overall efficiency
+- efficiency in the peered files
+
+Using the `-ListConnections` option returns these details about peers:
+
+- destination IP address
+- peer type
+- status code
+- bytes sent
+- bytes received
+- file ID
+
+**Starting in Windows 10, version 1803:**
+
+`Get-DeliveryOptimizationLog [-Path ] [-Flush]`
+
+If `Path` is not specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs.
+
+Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content
+:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
-## Deployment and Provisioning
+## Deployment and provisioning
-With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can:
+With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
-- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
+- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
-- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
+- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
-- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
+You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
-You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+## Identity and authentication
-## Identity and Authentication
-
-You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
-- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- - For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.