deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into wufbr-perms-7738226

Browse Source
This commit is contained in:
Meghan Stewart 2023-04-03 10:50:57 -07:00 committed by GitHub
commit 9874ffa952
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
305 changed files with 8740 additions and 2699 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
education/docfx.json
View File

@ -67,6 +67,15 @@
"v-stsavell"
]
},
"fileMetadata": {
"appliesto":{
"windows/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11 SE</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
]
}
},
"externalReference": [],
"template": "op.html",
"dest": "education",

2
education/windows/autopilot-reset.md
View File

@ -15,7 +15,7 @@ ms.collection:
IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), you must:
To enable Autopilot Reset you must:
1. [Enable the policy for the feature](#enable-autopilot-reset)
2. [Trigger a reset for each device](#trigger-autopilot-reset)

2
education/windows/change-home-to-edu.md
View File

@ -10,8 +10,6 @@ manager: jeffbu
ms.collection:
- tier3
- education
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Upgrade Windows Home to Windows Education on student-owned devices

1
education/windows/configure-aad-google-trust.md
View File

@ -3,6 +3,7 @@ title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
ms.date: 02/24/2023
ms.topic: how-to
appliesto:
---
# Configure federation between Google Workspace and Azure AD

2
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -3,8 +3,6 @@ title: Configure Take a Test in kiosk mode
description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
ms.date: 09/30/2022
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Configure Take a Test in kiosk mode

1
education/windows/edu-themes.md
View File

@ -5,6 +5,7 @@ ms.date: 09/15/2022
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
---
# Configure education themes for Windows 11

1
education/windows/federated-sign-in.md
View File

@ -5,6 +5,7 @@ ms.date: 03/15/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- tier1

2
education/windows/get-minecraft-for-education.md
View File

@ -3,8 +3,6 @@ title: Get and deploy Minecraft Education
description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
ms.date: 02/23/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
ms.collection:
- highpri
- education

2
education/windows/includes/intune-custom-settings-1.md
View File

@ -1,6 +1,4 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 02/22/2022
ms.topic: include
---

2
education/windows/includes/intune-custom-settings-2.md
View File

@ -1,6 +1,4 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 11/08/2022
ms.topic: include
---

2
education/windows/includes/intune-custom-settings-info.md
View File

@ -1,6 +1,4 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 11/08/2022
ms.topic: include
---

2
education/windows/set-up-school-pcs-whats-new.md
View File

@ -3,8 +3,6 @@ title: What's new in the Windows Set up School PCs app
description: Find out about app updates and new features in Set up School PCs.
ms.topic: whats-new
ms.date: 08/10/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# What's new in Set up School PCs

4
education/windows/take-a-test-app-technical.md
View File

@ -1,10 +1,8 @@
---
title: Take a Test app technical reference
description: List of policies and settings applied by the Take a Test app.
ms.date: 09/30/2022
ms.date: 03/31/2023
ms.topic: reference
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Take a Test app technical reference

4
education/windows/take-tests-in-windows.md
View File

@ -1,10 +1,8 @@
---
title: Take tests and assessments in Windows
description: Learn about the built-in Take a Test app for Windows and how to use it.
ms.date: 09/30/2022
ms.date: 03/31/2023
ms.topic: conceptual
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Take tests and assessments in Windows

2
education/windows/tutorial-school-deployment/configure-device-apps.md
View File

@ -3,8 +3,6 @@ title: Configure applications with Microsoft Intune
description: Learn how to configure applications with Microsoft Intune in preparation for device deployment.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Configure applications with Microsoft Intune

2
education/windows/tutorial-school-deployment/configure-device-settings.md
View File

@ -3,8 +3,6 @@ title: Configure and secure devices with Microsoft Intune
description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Configure and secure devices with Microsoft Intune

2
education/windows/tutorial-school-deployment/configure-devices-overview.md
View File

@ -3,8 +3,6 @@ title: Configure devices with Microsoft Intune
description: Learn how to configure policies and applications in preparation for device deployment.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Configure settings and applications with Microsoft Intune

2
education/windows/tutorial-school-deployment/enroll-aadj.md
View File

@ -3,8 +3,6 @@ title: Enrollment in Intune with standard out-of-box experience (OOBE)
description: Learn how to join devices to Azure AD from OOBE and automatically get them enrolled in Intune.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Automatic Intune enrollment via Azure AD join

2
education/windows/tutorial-school-deployment/enroll-autopilot.md
View File

@ -3,8 +3,6 @@ title: Enrollment in Intune with Windows Autopilot
description: Learn how to join Azure AD and enroll in Intune using Windows Autopilot.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Windows Autopilot

2
education/windows/tutorial-school-deployment/enroll-overview.md
View File

@ -3,8 +3,6 @@ title: Device enrollment overview
description: Learn about the different options to enroll Windows devices in Microsoft Intune
ms.date: 08/31/2022
ms.topic: overview
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Device enrollment overview

2
education/windows/tutorial-school-deployment/enroll-package.md
View File

@ -3,8 +3,6 @@ title: Enrollment of Windows devices with provisioning packages
description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Enrollment with provisioning packages

2
education/windows/tutorial-school-deployment/index.md
View File

@ -3,8 +3,6 @@ title: Introduction to the tutorial deploy and manage Windows devices in a schoo
description: Introduction to deployment and management of Windows devices in education environments.
ms.date: 08/31/2022
ms.topic: conceptual
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Tutorial: deploy and manage Windows devices in a school

2
education/windows/tutorial-school-deployment/manage-overview.md
View File

@ -3,8 +3,6 @@ title: Manage devices with Microsoft Intune
description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Manage devices with Microsoft Intune

2
education/windows/tutorial-school-deployment/reset-wipe.md
View File

@ -3,8 +3,6 @@ title: Reset and wipe Windows devices
description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Device reset options

1
education/windows/tutorial-school-deployment/set-up-azure-ad.md
View File

@ -3,6 +3,7 @@ title: Set up Azure Active Directory
description: Learn how to create and prepare your Azure AD tenant for an education environment.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
---
# Set up Azure Active Directory

1
education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
View File

@ -3,6 +3,7 @@ title: Set up device management
description: Learn how to configure the Intune service and set up the environment for education.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
---
# Set up Microsoft Intune

2
education/windows/tutorial-school-deployment/troubleshoot-overview.md
View File

@ -3,8 +3,6 @@ title: Troubleshoot Windows devices
description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
ms.date: 08/31/2022
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Troubleshoot Windows devices

10
includes/ai-disclaimer-generic.md Normal file
View File

@ -0,0 +1,10 @@
---
author: aczechowski
ms.author: aaroncz
ms.date: 03/31/2023
ms.topic: include
ms.prod: windows-client
---
> [!NOTE]
> This article was partially created with the help of artificial intelligence. Before publishing, an author reviewed and revised the content as needed. For more information, see [Our principles for using AI-generated content in Microsoft Learn](/azure/principles-for-ai-generated-content).

6
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -946,9 +946,9 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Co
3. Use WMI Interface:
```powershell
$namespace = "root\cimv2\mdm\dmmap"
$policyClassName = "MDM_AppControl_Policies"
$policyBase64 = …
$namespace = "root\cimv2\mdm\dmmap"
$policyClassName = "MDM_ApplicationControl_Policies01_01"
$policyBase64 = "<base64policy>"
```
### Deploying a policy via WMI Bridge

32
windows/client-management/mdm/bitlocker-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/28/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -176,7 +176,7 @@ require reinstallation of Windows.
> [!NOTE]
> This policy takes effect only if "RequireDeviceEncryption" policy is set to 1.
The expected values for this policy are
The expected values for this policy are:
1 = This is the default, when the policy is not set. **Warning** prompt and encryption notification is allowed.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
@ -317,11 +317,16 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
<!-- Device-EncryptionMethodByDriveType-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
- If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
- If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
- If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script."
If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.
- If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
> [!NOTE]
> This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
<!-- Device-EncryptionMethodByDriveType-Description-End -->
<!-- Device-EncryptionMethodByDriveType-Editable-Begin -->
@ -369,11 +374,12 @@ Sample value for this node to enable this policy and set the encryption methods
| Name | Value |
|:--|:--|
| Name | EncryptionMethodWithXts_Name |
| Friendly Name | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) |
| Name | RDVDenyWriteAccess_Name |
| Friendly Name | Deny write access to removable drives not protected by BitLocker |
| Location | Computer Configuration |
| Path | Windows Components > BitLocker Drive Encryption |
| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE |
| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives |
| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE |
| Registry Value Name | RDVDenyWriteAccess |
| ADMX File Name | VolumeEncryption.admx |
<!-- Device-EncryptionMethodByDriveType-AdmxBacked-End -->
@ -1578,10 +1584,10 @@ The Windows touch keyboard (such as that used by tablets) isn't available in the
- If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
**Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include
- Configure TPM startup PIN Required/Allowed
- Configure TPM startup key and PIN Required/Allowed
- Configure use of passwords for operating system drives.
**Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include:
- Configure TPM startup PIN: Required/Allowed
- Configure TPM startup key and PIN: Required/Allowed
- Configure use of passwords for operating system drives.
<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Description-End -->
<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Editable-Begin -->

4
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/22/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -179,7 +179,7 @@ The following XML file contains the device description framework (DDF) for the B
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ADMX">
<MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="EncryptionMethodWithXts_Name" File="VolumeEncryption.admx" />
<MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="RDVDenyWriteAccess_Name" File="VolumeEncryption.admx" />
</MSFT:AllowedValues>
</DFProperties>
</Node>

95
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/28/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -58,6 +58,7 @@ The following list shows the Defender configuration service provider nodes:
- [EnableFileHashComputation](#configurationenablefilehashcomputation)
- [EngineUpdatesChannel](#configurationengineupdateschannel)
- [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [PassiveRemediation](#configurationpassiveremediation)
@ -65,6 +66,7 @@ The following list shows the Defender configuration service provider nodes:
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
- [SecuredDevicesConfiguration](#configurationsecureddevicesconfiguration)
- [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel)
- [SupportLogLocation](#configurationsupportloglocation)
- [TamperProtection](#configurationtamperprotection)
@ -1622,7 +1624,7 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
This policy setting controls whether or not exclusions are visible to local admins. To control local users exclusions visibility use HideExclusionsFromLocalUsers. If HideExclusionsFromLocalAdmins is set then HideExclusionsFromLocalUsers will be implicitly set.
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Description-End -->
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Editable-Begin -->
@ -1656,6 +1658,55 @@ This policy setting controls whether or not exclusions are visible to local admi
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Begin -->
### Configuration/HideExclusionsFromLocalUsers
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Applicability-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalUsers
```
<!-- Device-Configuration-HideExclusionsFromLocalUsers-OmaUri-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls whether or not exclusions are visible to local users. If HideExclusionsFromLocalAdmins is set then this policy will be implicitly set.
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Description-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Editable-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-HideExclusionsFromLocalUsers-DFProperties-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell. |
| 0 (Default) | If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell. |
<!-- Device-Configuration-HideExclusionsFromLocalUsers-AllowedValues-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Examples-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-End -->
<!-- Device-Configuration-IntelTDTEnabled-Begin -->
### Configuration/IntelTDTEnabled
@ -1696,6 +1747,7 @@ This policy setting configures the Intel TDT integration level for Intel TDT-cap
| Value | Description |
|:--|:--|
| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat. |
| 1 | If you configure this setting to enabled, Intel TDT integration will turn on. |
| 2 | If you configure this setting to disabled, Intel TDT integration will turn off. |
<!-- Device-Configuration-IntelTDTEnabled-AllowedValues-End -->
@ -1996,6 +2048,45 @@ This setting allows you to configure the scheduler randomization in hours. The r
<!-- Device-Configuration-SchedulerRandomizationTime-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Begin -->
### Configuration/SecuredDevicesConfiguration
<!-- Device-Configuration-SecuredDevicesConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-SecuredDevicesConfiguration-Applicability-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration
```
<!-- Device-Configuration-SecuredDevicesConfiguration-OmaUri-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Description-Begin -->
<!-- Description-Source-DDF -->
Defines what are the devices primary ids that should be secured by Defender Device Control. The primary id values should be pipe (|) separated. Example: RemovableMediaDevices|CdRomDevices. If this configuration is not set the default value will be applied, meaning all of the supported devices will be secured.
<!-- Device-Configuration-SecuredDevicesConfiguration-Description-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Editable-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-End -->
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Begin -->
### Configuration/SecurityIntelligenceUpdatesChannel

77
windows/client-management/mdm/defender-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/17/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1852,7 +1852,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.</Description>
<Description>This policy setting controls whether or not exclusions are visible to local admins. To control local users exlcusions visibility use HideExclusionsFromLocalUsers. If HideExclusionsFromLocalAdmins is set then HideExclusionsFromLocalUsers will be implicitly set.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1881,6 +1881,45 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>HideExclusionsFromLocalUsers</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This policy setting controls whether or not exclusions are visible to local users. If HideExclusionsFromLocalAdmins is set then this policy will be implicitly set.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ThrottleForScheduledScanOnly</NodeName>
<DFProperties>
@ -2010,6 +2049,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>SecuredDevicesConfiguration</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Defines what are the devices primary ids that should be secured by Defender Device Control. The primary id values should be pipe (|) separated. Example: RemovableMediaDevices|CdRomDevices. If this configuration is not set the default value will be applied, meaning all of the supported devices will be secured.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DataDuplicationLocalRetentionPeriod</NodeName>
<DFProperties>
@ -2197,6 +2266,10 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you configure this setting to enabled, Intel TDT integration will turn on.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>If you configure this setting to disabled, Intel TDT integration will turn off.</MSFT:ValueDescription>

84
windows/client-management/mdm/devicepreparation-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/28/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -31,6 +31,8 @@ The following list shows the DevicePreparation configuration service provider no
- [ClassID](#bootstrapperagentclassid)
- [ExecutionContext](#bootstrapperagentexecutioncontext)
- [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
- [MDMProvider](#mdmprovider)
- [Progress](#mdmproviderprogress)
- [PageEnabled](#pageenabled)
- [PageSettings](#pagesettings)
- [PageStatus](#pagestatus)
@ -192,6 +194,84 @@ This node holds a URI that can be queried for the status of the Bootstrapper Age
<!-- Device-BootstrapperAgent-InstallationStatusUri-End -->
<!-- Device-MDMProvider-Begin -->
## MDMProvider
<!-- Device-MDMProvider-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-MDMProvider-Applicability-End -->
<!-- Device-MDMProvider-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/MDMProvider
```
<!-- Device-MDMProvider-OmaUri-End -->
<!-- Device-MDMProvider-Description-Begin -->
<!-- Description-Source-DDF -->
The subnode configures the settings for the MDMProvider.
<!-- Device-MDMProvider-Description-End -->
<!-- Device-MDMProvider-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MDMProvider-Editable-End -->
<!-- Device-MDMProvider-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- Device-MDMProvider-DFProperties-End -->
<!-- Device-MDMProvider-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MDMProvider-Examples-End -->
<!-- Device-MDMProvider-End -->
<!-- Device-MDMProvider-Progress-Begin -->
### MDMProvider/Progress
<!-- Device-MDMProvider-Progress-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-MDMProvider-Progress-Applicability-End -->
<!-- Device-MDMProvider-Progress-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/MDMProvider/Progress
```
<!-- Device-MDMProvider-Progress-OmaUri-End -->
<!-- Device-MDMProvider-Progress-Description-Begin -->
<!-- Description-Source-DDF -->
Noode for reporting progress status as opaque data.
<!-- Device-MDMProvider-Progress-Description-End -->
<!-- Device-MDMProvider-Progress-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MDMProvider-Progress-Editable-End -->
<!-- Device-MDMProvider-Progress-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Get, Replace |
<!-- Device-MDMProvider-Progress-DFProperties-End -->
<!-- Device-MDMProvider-Progress-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MDMProvider-Progress-Examples-End -->
<!-- Device-MDMProvider-Progress-End -->
<!-- Device-PageEnabled-Begin -->
## PageEnabled
@ -297,7 +377,7 @@ This node configures specific settings for the Device Preparation page.
<!-- Device-PageStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = Succeeded; 4 = Failed.
This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
<!-- Device-PageStatus-Description-End -->
<!-- Device-PageStatus-Editable-Begin -->

47
windows/client-management/mdm/devicepreparation-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/17/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -89,7 +89,7 @@ The following XML file contains the device description framework (DDF) for the D
<AccessType>
<Get />
</AccessType>
<Description>This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = Succeeded; 4 = Failed.</Description>
<Description>This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.</Description>
<DFFormat>
<int />
</DFFormat>
@ -243,6 +243,49 @@ The following XML file contains the device description framework (DDF) for the D
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MDMProvider</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The subnode configures the settings for the MDMProvider.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>Progress</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Noode for reporting progress status as opaque data.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

3
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -9,9 +9,6 @@ author: vinaypamnani-msft
ms.date: 06/26/2017
ms.reviewer:
manager: aaroncz
ms.collection:
- highpri
- tier2
---
# DynamicManagement CSP

1153
windows/client-management/mdm/firewall-csp.md
View File

File diff suppressed because it is too large Load Diff

819
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/27/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2855,7 +2855,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -2888,7 +2888,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat>
<int />
</DFFormat>
@ -2934,7 +2934,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat>
<int />
</DFFormat>
@ -2979,7 +2979,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This value is an on/off switch for loopback traffic. This determines if this VM type is able to send/receive loopback traffic.</Description>
<Description>This value is an on/off switch for loopback traffic. This determines if this VM is able to send/receive loopback traffic to other VMs or the host.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -3004,6 +3004,606 @@ The following XML file contains the device description framework (DDF) for the F
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AllowHostPolicyMerge</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>AllowHostPolicyMerge Off</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AllowHostPolicyMerge On</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DomainProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultOutboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultInboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AllowLocalPolicyMerge</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge Off</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge On</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>PrivateProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultOutboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultInboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AllowLocalPolicyMerge</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge Off</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge On</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>PublicProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultOutboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultInboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AllowLocalPolicyMerge</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge Off</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge On</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
@ -3231,7 +3831,8 @@ ServiceName</Description>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," />
</MSFT:AllowedValues>
</DFProperties>
@ -3258,7 +3859,8 @@ ServiceName</Description>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," />
</MSFT:AllowedValues>
</DFProperties>
@ -3396,7 +3998,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.22000, 10.0.19044.1706, 10.0.19043.1706, 10.0.19042.1706</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="RegEx">
@ -4022,7 +4624,8 @@ An IPv6 address range in the format of "start address - end address" with no spa
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," />
</MSFT:AllowedValues>
</DFProperties>
@ -4081,7 +4684,8 @@ An IPv6 address range in the format of "start address - end address" with no spa
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," />
</MSFT:AllowedValues>
</DFProperties>
@ -4197,16 +4801,15 @@ If not specified - a new rule is disabled by default.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>Name</NodeName>
<NodeName>Profiles</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.</Description>
<DFFormat>
<chr />
<int />
</DFFormat>
<Occurrence>
<One />
@ -4217,6 +4820,192 @@ If not specified - a new rule is disabled by default.</Description>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="Flag">
<MSFT:Enum>
<MSFT:Value>0x1</MSFT:Value>
<MSFT:ValueDescription>FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x2</MSFT:Value>
<MSFT:ValueDescription>FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they are in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x4</MSFT:Value>
<MSFT:ValueDescription>FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator are not trusted.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x7FFFFFFF</MSFT:Value>
<MSFT:ValueDescription>FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>HyperVLoopbackRules</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>
</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>RuleName</DFTitle>
<DFType>
<DDFName />
</DFType>
<MSFT:DynamicNodeNaming>
<MSFT:ServerGeneratedUniqueIdentifier />
</MSFT:DynamicNodeNaming>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[^|/]*$</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:AtomicRequired />
</DFProperties>
<Node>
<NodeName>SourceVMCreatorId</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DestinationVMCreatorId</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PortRanges</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," />
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
@ -4240,7 +5029,7 @@ If not specified - a new rule is disabled by default.</Description>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.22000, 10.0.19044.1706, 10.0.19043.1706, 10.0.19042.1706</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>

4
windows/client-management/mdm/laps-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/28/2023
ms.date: 03/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -746,7 +746,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| Value | Description |
|:--|:--|
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
<!-- Device-Policies-PostAuthenticationActions-AllowedValues-End -->

59
windows/client-management/mdm/passportforwork-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/28/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,9 @@ ms.topic: reference
<!-- PassportForWork-Begin -->
# PassportForWork CSP
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- PassportForWork-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
@ -30,6 +33,7 @@ The following list shows the PassportForWork configuration service provider node
- ./Device/Vendor/MSFT/PassportForWork
- [{TenantId}](#devicetenantid)
- [Policies](#devicetenantidpolicies)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
- [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices)
- [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12)
@ -160,6 +164,55 @@ Root node for policies.
<!-- Device-{TenantId}-Policies-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Begin -->
#### Device/{TenantId}/Policies/DisablePostLogonProvisioning
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Applicability-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonProvisioning
```
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-OmaUri-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Description-Begin -->
<!-- Description-Source-DDF -->
Do not start Windows Hello provisioning after sign-in.
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Description-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Editable-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-DFProperties-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | Disabled. |
| true | Enabled. |
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-AllowedValues-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Examples-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-End -->
<!-- Device-{TenantId}-Policies-EnablePinRecovery-Begin -->
#### Device/{TenantId}/Policies/EnablePinRecovery
@ -1187,8 +1240,8 @@ Enhanced Sign-in Security (ESS) isolates both biometric template data and matchi
| Value | Description |
|:--|:--|
| 0 | Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended). |
| 1 (Default) | Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security). |
| 0 | ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of peripheral Windows Hello capable devices will be allowed, subject to current feature limitations. In addition, with this setting, ESS will be enabled on devices with a mixture of biometric devices, such as an ESS capable FPR and a non-ESS capable camera. (not recommended). |
| 1 (Default) | ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any peripheral biometric device will be blocked and not available for Windows Hello. (default and recommended for highest security). |
<!-- Device-Biometrics-EnableESSwithSupportedPeripherals-AllowedValues-End -->
<!-- Device-Biometrics-EnableESSwithSupportedPeripherals-GpMapping-Begin -->

45
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/24/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -814,6 +814,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisablePostLogonProvisioning</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Do not start Windows Hello provisioning after sign-in.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>UseCertificateForOnPremAuth</NodeName>
<DFProperties>
@ -1507,11 +1546,11 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended)</MSFT:ValueDescription>
<MSFT:ValueDescription>ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of peripheral Windows Hello capable devices will be allowed, subject to current feature limitations. In addition, with this setting, ESS will be enabled on devices with a mixture of biometric devices, such as an ESS capable FPR and a non-ESS capable camera. (not recommended)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security)</MSFT:ValueDescription>
<MSFT:ValueDescription>ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any peripheral biometric device will be blocked and not available for Windows Hello. (default and recommended for highest security)</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:GpMapping GpEnglishName="Enable ESS with Supported Peripherals" GpAreaPath="Passport~AT~WindowsComponents~MSPassportForWorkCategory" />

279
windows/client-management/mdm/personaldataencryption-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the PDE CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/28/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -26,7 +26,13 @@ The following list shows the PDE configuration service provider nodes:
- ./User/Vendor/MSFT/PDE
- [EnablePersonalDataEncryption](#enablepersonaldataencryption)
- [ProtectFolders](#protectfolders)
- [ProtectDesktop](#protectfoldersprotectdesktop)
- [ProtectDocuments](#protectfoldersprotectdocuments)
- [ProtectPictures](#protectfoldersprotectpictures)
- [Status](#status)
- [FolderProtectionStatus](#statusfolderprotectionstatus)
- [FoldersProtected](#statusfoldersprotected)
- [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
<!-- PDE-Tree-End -->
@ -79,6 +85,188 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
<!-- User-EnablePersonalDataEncryption-End -->
<!-- User-ProtectFolders-Begin -->
## ProtectFolders
<!-- User-ProtectFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-ProtectFolders-Applicability-End -->
<!-- User-ProtectFolders-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders
```
<!-- User-ProtectFolders-OmaUri-End -->
<!-- User-ProtectFolders-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- User-ProtectFolders-Description-End -->
<!-- User-ProtectFolders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-Editable-End -->
<!-- User-ProtectFolders-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- User-ProtectFolders-DFProperties-End -->
<!-- User-ProtectFolders-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-Examples-End -->
<!-- User-ProtectFolders-End -->
<!-- User-ProtectFolders-ProtectDesktop-Begin -->
### ProtectFolders/ProtectDesktop
<!-- User-ProtectFolders-ProtectDesktop-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-ProtectFolders-ProtectDesktop-Applicability-End -->
<!-- User-ProtectFolders-ProtectDesktop-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop
```
<!-- User-ProtectFolders-ProtectDesktop-OmaUri-End -->
<!-- User-ProtectFolders-ProtectDesktop-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectDesktop-Description-End -->
<!-- User-ProtectFolders-ProtectDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDesktop-Editable-End -->
<!-- User-ProtectFolders-ProtectDesktop-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
<!-- User-ProtectFolders-ProtectDesktop-DFProperties-End -->
<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. |
| 1 | Enable PDE on the folder. |
<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectDesktop-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDesktop-Examples-End -->
<!-- User-ProtectFolders-ProtectDesktop-End -->
<!-- User-ProtectFolders-ProtectDocuments-Begin -->
### ProtectFolders/ProtectDocuments
<!-- User-ProtectFolders-ProtectDocuments-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-ProtectFolders-ProtectDocuments-Applicability-End -->
<!-- User-ProtectFolders-ProtectDocuments-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments
```
<!-- User-ProtectFolders-ProtectDocuments-OmaUri-End -->
<!-- User-ProtectFolders-ProtectDocuments-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectDocuments-Description-End -->
<!-- User-ProtectFolders-ProtectDocuments-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDocuments-Editable-End -->
<!-- User-ProtectFolders-ProtectDocuments-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
<!-- User-ProtectFolders-ProtectDocuments-DFProperties-End -->
<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. |
| 1 | Enable PDE on the folder. |
<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectDocuments-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDocuments-Examples-End -->
<!-- User-ProtectFolders-ProtectDocuments-End -->
<!-- User-ProtectFolders-ProtectPictures-Begin -->
### ProtectFolders/ProtectPictures
<!-- User-ProtectFolders-ProtectPictures-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-ProtectFolders-ProtectPictures-Applicability-End -->
<!-- User-ProtectFolders-ProtectPictures-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures
```
<!-- User-ProtectFolders-ProtectPictures-OmaUri-End -->
<!-- User-ProtectFolders-ProtectPictures-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectPictures-Description-End -->
<!-- User-ProtectFolders-ProtectPictures-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectPictures-Editable-End -->
<!-- User-ProtectFolders-ProtectPictures-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
<!-- User-ProtectFolders-ProtectPictures-DFProperties-End -->
<!-- User-ProtectFolders-ProtectPictures-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. |
| 1 | Enable PDE on the folder. |
<!-- User-ProtectFolders-ProtectPictures-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectPictures-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectPictures-Examples-End -->
<!-- User-ProtectFolders-ProtectPictures-End -->
<!-- User-Status-Begin -->
## Status
@ -121,6 +309,95 @@ Reports the current status of Personal Data Encryption (PDE) for the user.
<!-- User-Status-End -->
<!-- User-Status-FolderProtectionStatus-Begin -->
### Status/FolderProtectionStatus
<!-- User-Status-FolderProtectionStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-Status-FolderProtectionStatus-Applicability-End -->
<!-- User-Status-FolderProtectionStatus-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus
```
<!-- User-Status-FolderProtectionStatus-OmaUri-End -->
<!-- User-Status-FolderProtectionStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This node reports folder protection status for a user.
<!-- User-Status-FolderProtectionStatus-Description-End -->
<!-- User-Status-FolderProtectionStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-Status-FolderProtectionStatus-Editable-End -->
<!-- User-Status-FolderProtectionStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get |
<!-- User-Status-FolderProtectionStatus-DFProperties-End -->
<!-- User-Status-FolderProtectionStatus-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Protection not started. |
| 1 | Protection is completed with no failures. |
| 2 | Protection in progress. |
| 3 | Protection failed. |
<!-- User-Status-FolderProtectionStatus-AllowedValues-End -->
<!-- User-Status-FolderProtectionStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-Status-FolderProtectionStatus-Examples-End -->
<!-- User-Status-FolderProtectionStatus-End -->
<!-- User-Status-FoldersProtected-Begin -->
### Status/FoldersProtected
<!-- User-Status-FoldersProtected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-Status-FoldersProtected-Applicability-End -->
<!-- User-Status-FoldersProtected-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/Status/FoldersProtected
```
<!-- User-Status-FoldersProtected-OmaUri-End -->
<!-- User-Status-FoldersProtected-Description-Begin -->
<!-- Description-Source-DDF -->
This node reports all folders (full path to each folder) that have been protected.
<!-- User-Status-FoldersProtected-Description-End -->
<!-- User-Status-FoldersProtected-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-Status-FoldersProtected-Editable-End -->
<!-- User-Status-FoldersProtected-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Get |
<!-- User-Status-FoldersProtected-DFProperties-End -->
<!-- User-Status-FoldersProtected-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-Status-FoldersProtected-Examples-End -->
<!-- User-Status-FoldersProtected-End -->
<!-- User-Status-PersonalDataEncryptionStatus-Begin -->
### Status/PersonalDataEncryptionStatus

184
windows/client-management/mdm/personaldataencryption-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/17/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -83,6 +83,128 @@ The following XML file contains the device description framework (DDF) for the P
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectFolders</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>ProtectDocuments</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectDesktop</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectPictures</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
@ -123,6 +245,66 @@ The following XML file contains the device description framework (DDF) for the P
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FolderProtectionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports folder protection status for a user. </Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Protection not started.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Protection is completed with no failures.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Protection in progress.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>3</MSFT:Value>
<MSFT:ValueDescription>Protection failed.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>FoldersProtected</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports all folders (full path to each folder) that have been protected.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>

4
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/18/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2303,7 +2303,9 @@ This article lists the ADMX-backed policies in Policy CSP.
- [EnableSettings](policy-csp-desktopappinstaller.md)
- [EnableExperimentalFeatures](policy-csp-desktopappinstaller.md)
- [EnableLocalManifestFiles](policy-csp-desktopappinstaller.md)
- [EnableBypassCertificatePinningForMicrosoftStore](policy-csp-desktopappinstaller.md)
- [EnableHashOverride](policy-csp-desktopappinstaller.md)
- [EnableLocalArchiveMalwareScanOverride](policy-csp-desktopappinstaller.md)
- [EnableDefaultSource](policy-csp-desktopappinstaller.md)
- [EnableMicrosoftStoreSource](policy-csp-desktopappinstaller.md)
- [SourceAutoUpdateInterval](policy-csp-desktopappinstaller.md)

18
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/03/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -340,6 +340,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ClearTextPassword](policy-csp-devicelock.md)
- [PasswordComplexity](policy-csp-devicelock.md)
- [PasswordHistorySize](policy-csp-devicelock.md)
- [AccountLockoutThreshold](policy-csp-devicelock.md)
- [AccountLockoutDuration](policy-csp-devicelock.md)
- [ResetAccountLockoutCounterAfter](policy-csp-devicelock.md)
- [AllowAdministratorLockout](policy-csp-devicelock.md)
## Display
@ -400,6 +404,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ForceInstantLock](policy-csp-humanpresence.md)
- [ForceLockTimeout](policy-csp-humanpresence.md)
- [ForceInstantDim](policy-csp-humanpresence.md)
- [ForceDisableWakeWhenBatterySaverOn](policy-csp-humanpresence.md)
- [ForceAllowWakeWhenExternalDisplayConnected](policy-csp-humanpresence.md)
- [ForceAllowLockWhenExternalDisplayConnected](policy-csp-humanpresence.md)
- [ForceAllowDimWhenExternalDisplayConnected](policy-csp-humanpresence.md)
## Kerberos
@ -511,6 +519,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [DisallowNotificationMirroring](policy-csp-notifications.md)
- [DisallowTileNotification](policy-csp-notifications.md)
- [EnableExpandedToastNotifications](policy-csp-notifications.md)
- [DisallowCloudNotification](policy-csp-notifications.md)
- [WnsEndpoint](policy-csp-notifications.md)
@ -574,6 +583,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps](policy-csp-privacy.md)
- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps](policy-csp-privacy.md)
- [LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps](policy-csp-privacy.md)
- [LetAppsAccessHumanPresence](policy-csp-privacy.md)
- [LetAppsAccessHumanPresence_ForceAllowTheseApps](policy-csp-privacy.md)
- [LetAppsAccessHumanPresence_ForceDenyTheseApps](policy-csp-privacy.md)
- [LetAppsAccessHumanPresence_UserInControlOfTheseApps](policy-csp-privacy.md)
- [LetAppsAccessLocation](policy-csp-privacy.md)
- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md)
- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md)
@ -676,6 +689,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md)
- [HideRecoPersonalizedSites](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md)
- [DisableControlCenter](policy-csp-start.md)
- [ForceStartSize](policy-csp-start.md)
@ -686,6 +700,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md)
- [HideRecoPersonalizedSites](policy-csp-start.md)
- [SimplifyQuickSettings](policy-csp-start.md)
- [DisableEditingQuickSettings](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md)
@ -869,6 +884,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [DenyLogOnAsBatchJob](policy-csp-userrights.md)
- [LogOnAsService](policy-csp-userrights.md)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md)
- [DenyServiceLogonRight](policy-csp-userrights.md)
## VirtualizationBasedTechnology

457
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -1,99 +1,378 @@
---
title: Policies in Policy CSP supported by Microsoft Surface Hub
description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub.
ms.reviewer:
title: Policies in Policy CSP supported by Windows 10 Team
description: Learn about the policies in Policy CSP supported by Windows 10 Team.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 03/28/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 07/22/2020
ms.topic: reference
---
# Policies in Policy CSP supported by Microsoft Surface Hub
<!-- Auto-Generated CSP Document -->
- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#allowdeveloperunlock)
- [Accounts/AllowMicrosoftAccountConnection](./policy-csp-accounts.md#allowmicrosoftaccountconnection)
- [Camera/AllowCamera](policy-csp-camera.md#allowcamera)
- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#showappcellularaccessui)
- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites)
- [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring)
- [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection)
- [Defender/AllowEmailScanning](policy-csp-defender.md#allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#allowioavprotection)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](policy-csp-defender.md#allowscriptscanning)
- [Defender/AllowUserUIAccess](policy-csp-defender.md#allowuseruiaccess)
- [Defender/AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](policy-csp-defender.md#excludedextensions)
- [Defender/ExcludedPaths](policy-csp-defender.md#excludedpaths)
- [Defender/ExcludedProcesses](policy-csp-defender.md#excludedprocesses)
- [Defender/PUAProtection](policy-csp-defender.md#puaprotection)
- [Defender/RealTimeScanDirection](policy-csp-defender.md#realtimescandirection)
- [Defender/ScanParameter](policy-csp-defender.md#scanparameter)
- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime)
- [Defender/ScheduleScanDay](policy-csp-defender.md#schedulescanday)
- [Defender/ScheduleScanTime](policy-csp-defender.md#schedulescantime)
- [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval)
- [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode)
- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#dogroupid)
- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated)
- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#configuregroupmembership)
- [System/AllowLocation](policy-csp-system.md#allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#allowinputpanel)
- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#allowjapaneseimesurrogatepaircharacters)
- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#allowjapaneseivscharacters)
- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#allowjapanesenonpublishingstandardglyph)
- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#allowjapaneseuserdictionary)
- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#allowlanguagefeaturesuninstall)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#configuretimezone)
- [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi)
- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md) (Deprecated)
- [Wifi/WLANScanMode](policy-csp-wifi.md#wlanscanmode)
- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#allowwifidirect)
- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#allowmdnsadvertisement)
- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#allowmdnsdiscovery)
- [WirelessDisplay/AllowProjectionFromPC](policy-csp-wirelessdisplay.md#allowprojectionfrompc)
- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectionfrompcoverinfrastructure)
- [WirelessDisplay/AllowProjectionToPC](policy-csp-wirelessdisplay.md#allowprojectiontopc)
- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectiontopcoverinfrastructure)
- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#allowuserinputfromwirelessdisplayreceiver)
- [WirelessDisplay/RequirePinForPairing](policy-csp-wirelessdisplay.md#requirepinforpairing)
# Policies in Policy CSP supported by Windows 10 Team
## Related topics
This article lists the policies in Policy CSP that are applicable for the Surface Hub operating system, **Windows 10 Team**.
[Policy CSP](policy-configuration-service-provider.md)
## ApplicationDefaults
- [DefaultAssociationsConfiguration](policy-csp-applicationdefaults.md#defaultassociationsconfiguration)
## ApplicationManagement
- [AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate)
- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock)
## Bluetooth
- [AllowAdvertising](policy-csp-bluetooth.md#allowadvertising)
- [AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode)
- [AllowPrepairing](policy-csp-bluetooth.md#allowprepairing)
- [AllowPromptedProximalConnections](policy-csp-bluetooth.md#allowpromptedproximalconnections)
- [LocalDeviceName](policy-csp-bluetooth.md#localdevicename)
- [ServicesAllowedList](policy-csp-bluetooth.md#servicesallowedlist)
- [SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#setminimumencryptionkeysize)
## Browser
- [AllowAddressBarDropdown](policy-csp-browser.md#allowaddressbardropdown)
- [AllowAutofill](policy-csp-browser.md#allowautofill)
- [AllowBrowser](policy-csp-browser.md#allowbrowser)
- [AllowCookies](policy-csp-browser.md#allowcookies)
- [AllowDeveloperTools](policy-csp-browser.md#allowdevelopertools)
- [AllowDoNotTrack](policy-csp-browser.md#allowdonottrack)
- [AllowFlashClickToRun](policy-csp-browser.md#allowflashclicktorun)
- [AllowMicrosoftCompatibilityList](policy-csp-browser.md#allowmicrosoftcompatibilitylist)
- [AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager)
- [AllowPopups](policy-csp-browser.md#allowpopups)
- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar)
- [AllowSmartScreen](policy-csp-browser.md#allowsmartscreen)
- [ClearBrowsingDataOnExit](policy-csp-browser.md#clearbrowsingdataonexit)
- [ConfigureAdditionalSearchEngines](policy-csp-browser.md#configureadditionalsearchengines)
- [DisableLockdownOfStartPages](policy-csp-browser.md#disablelockdownofstartpages)
- [EnterpriseModeSiteList](policy-csp-browser.md#enterprisemodesitelist)
- [HomePages](policy-csp-browser.md#homepages)
- [PreventLiveTileDataCollection](policy-csp-browser.md#preventlivetiledatacollection)
- [PreventSmartScreenPromptOverride](policy-csp-browser.md#preventsmartscreenpromptoverride)
- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md#preventsmartscreenpromptoverrideforfiles)
- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md#preventusinglocalhostipaddressforwebrtc)
- [SetDefaultSearchEngine](policy-csp-browser.md#setdefaultsearchengine)
## Camera
- [AllowCamera](policy-csp-camera.md#allowcamera)
## Connectivity
- [AllowBluetooth](policy-csp-connectivity.md#allowbluetooth)
- [AllowConnectedDevices](policy-csp-connectivity.md#allowconnecteddevices)
## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy)
- [TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites)
## Defender
- [AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning)
- [AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring)
- [AllowCloudProtection](policy-csp-defender.md#allowcloudprotection)
- [AllowEmailScanning](policy-csp-defender.md#allowemailscanning)
- [AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives)
- [AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning)
- [AllowIntrusionPreventionSystem](policy-csp-defender.md#allowintrusionpreventionsystem)
- [AllowIOAVProtection](policy-csp-defender.md#allowioavprotection)
- [AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection)
- [AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring)
- [AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles)
- [AllowScriptScanning](policy-csp-defender.md#allowscriptscanning)
- [AttackSurfaceReductionOnlyExclusions](policy-csp-defender.md#attacksurfacereductiononlyexclusions)
- [AttackSurfaceReductionRules](policy-csp-defender.md#attacksurfacereductionrules)
- [AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor)
- [CheckForSignaturesBeforeRunningScan](policy-csp-defender.md#checkforsignaturesbeforerunningscan)
- [CloudBlockLevel](policy-csp-defender.md#cloudblocklevel)
- [CloudExtendedTimeout](policy-csp-defender.md#cloudextendedtimeout)
- [ControlledFolderAccessAllowedApplications](policy-csp-defender.md#controlledfolderaccessallowedapplications)
- [ControlledFolderAccessProtectedFolders](policy-csp-defender.md#controlledfolderaccessprotectedfolders)
- [DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware)
- [DisableCatchupFullScan](policy-csp-defender.md#disablecatchupfullscan)
- [DisableCatchupQuickScan](policy-csp-defender.md#disablecatchupquickscan)
- [EnableControlledFolderAccess](policy-csp-defender.md#enablecontrolledfolderaccess)
- [EnableLowCPUPriority](policy-csp-defender.md#enablelowcpupriority)
- [EnableNetworkProtection](policy-csp-defender.md#enablenetworkprotection)
- [ExcludedExtensions](policy-csp-defender.md#excludedextensions)
- [ExcludedPaths](policy-csp-defender.md#excludedpaths)
- [ExcludedProcesses](policy-csp-defender.md#excludedprocesses)
- [PUAProtection](policy-csp-defender.md#puaprotection)
- [RealTimeScanDirection](policy-csp-defender.md#realtimescandirection)
- [ScanParameter](policy-csp-defender.md#scanparameter)
- [ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime)
- [ScheduleScanDay](policy-csp-defender.md#schedulescanday)
- [ScheduleScanTime](policy-csp-defender.md#schedulescantime)
- [SecurityIntelligenceLocation](policy-csp-defender.md#securityintelligencelocation)
- [SignatureUpdateFallbackOrder](policy-csp-defender.md#signatureupdatefallbackorder)
- [SignatureUpdateFileSharesSources](policy-csp-defender.md#signatureupdatefilesharessources)
- [SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval)
- [SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent)
- [ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction)
## DeliveryOptimization
- [DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#doabsolutemaxcachesize)
- [DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#doallowvpnpeercaching)
- [DOCacheHost](policy-csp-deliveryoptimization.md#docachehost)
- [DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource)
- [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#dodelaybackgrounddownloadfromhttp)
- [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackbackground)
- [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackforeground)
- [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#dodelayforegrounddownloadfromhttp)
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode)
- [DOGroupId](policy-csp-deliveryoptimization.md#dogroupid)
- [DOGroupIdSource](policy-csp-deliveryoptimization.md#dogroupidsource)
- [DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxbackgrounddownloadbandwidth)
- [DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage)
- [DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize)
- [DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxforegrounddownloadbandwidth)
- [DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos)
- [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#dominbatterypercentageallowedtoupload)
- [DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer)
- [DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache)
- [DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer)
- [DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive)
- [DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap)
- [DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxbackgroundbandwidth)
- [DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxforegroundbandwidth)
- [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#dorestrictpeerselectionby)
- [DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth)
- [DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
## ExploitGuard
- [ExploitProtectionSettings](policy-csp-exploitguard.md#exploitprotectionsettings)
## LocalUsersAndGroups
- [Configure](policy-csp-localusersandgroups.md#configure)
## NetworkIsolation
- [EnterpriseCloudResources](policy-csp-networkisolation.md#enterprisecloudresources)
- [EnterpriseInternalProxyServers](policy-csp-networkisolation.md#enterpriseinternalproxyservers)
- [EnterpriseIPRange](policy-csp-networkisolation.md#enterpriseiprange)
- [EnterpriseIPRangesAreAuthoritative](policy-csp-networkisolation.md#enterpriseiprangesareauthoritative)
- [EnterpriseNetworkDomainNames](policy-csp-networkisolation.md#enterprisenetworkdomainnames)
- [EnterpriseProxyServers](policy-csp-networkisolation.md#enterpriseproxyservers)
- [EnterpriseProxyServersAreAuthoritative](policy-csp-networkisolation.md#enterpriseproxyserversareauthoritative)
- [NeutralResources](policy-csp-networkisolation.md#neutralresources)
## Privacy
- [AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization)
- [DisableAdvertisingId](policy-csp-privacy.md#disableadvertisingid)
- [LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo)
- [LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forceallowtheseapps)
- [LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forcedenytheseapps)
- [LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_userincontroloftheseapps)
- [LetAppsAccessCalendar](policy-csp-privacy.md#letappsaccesscalendar)
- [LetAppsAccessCalendar_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscalendar_forceallowtheseapps)
- [LetAppsAccessCalendar_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscalendar_forcedenytheseapps)
- [LetAppsAccessCalendar_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscalendar_userincontroloftheseapps)
- [LetAppsAccessCallHistory](policy-csp-privacy.md#letappsaccesscallhistory)
- [LetAppsAccessCallHistory_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscallhistory_forceallowtheseapps)
- [LetAppsAccessCallHistory_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscallhistory_forcedenytheseapps)
- [LetAppsAccessCallHistory_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscallhistory_userincontroloftheseapps)
- [LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera)
- [LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscamera_forceallowtheseapps)
- [LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscamera_forcedenytheseapps)
- [LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscamera_userincontroloftheseapps)
- [LetAppsAccessContacts](policy-csp-privacy.md#letappsaccesscontacts)
- [LetAppsAccessContacts_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscontacts_forceallowtheseapps)
- [LetAppsAccessContacts_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscontacts_forcedenytheseapps)
- [LetAppsAccessContacts_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscontacts_userincontroloftheseapps)
- [LetAppsAccessEmail](policy-csp-privacy.md#letappsaccessemail)
- [LetAppsAccessEmail_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessemail_forceallowtheseapps)
- [LetAppsAccessEmail_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessemail_forcedenytheseapps)
- [LetAppsAccessEmail_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessemail_userincontroloftheseapps)
- [LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation)
- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesslocation_forceallowtheseapps)
- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesslocation_forcedenytheseapps)
- [LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesslocation_userincontroloftheseapps)
- [LetAppsAccessMessaging](policy-csp-privacy.md#letappsaccessmessaging)
- [LetAppsAccessMessaging_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmessaging_forceallowtheseapps)
- [LetAppsAccessMessaging_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmessaging_forcedenytheseapps)
- [LetAppsAccessMessaging_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmessaging_userincontroloftheseapps)
- [LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone)
- [LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps)
- [LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps)
- [LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_userincontroloftheseapps)
- [LetAppsAccessNotifications](policy-csp-privacy.md#letappsaccessnotifications)
- [LetAppsAccessNotifications_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessnotifications_forceallowtheseapps)
- [LetAppsAccessNotifications_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessnotifications_forcedenytheseapps)
- [LetAppsAccessNotifications_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessnotifications_userincontroloftheseapps)
- [LetAppsAccessPhone](policy-csp-privacy.md#letappsaccessphone)
- [LetAppsAccessPhone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessphone_forceallowtheseapps)
- [LetAppsAccessPhone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessphone_forcedenytheseapps)
- [LetAppsAccessPhone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessphone_userincontroloftheseapps)
- [LetAppsAccessRadios](policy-csp-privacy.md#letappsaccessradios)
- [LetAppsAccessRadios_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessradios_forceallowtheseapps)
- [LetAppsAccessRadios_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessradios_forcedenytheseapps)
- [LetAppsAccessRadios_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessradios_userincontroloftheseapps)
- [LetAppsAccessTasks](policy-csp-privacy.md#letappsaccesstasks)
- [LetAppsAccessTasks_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesstasks_forceallowtheseapps)
- [LetAppsAccessTasks_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesstasks_forcedenytheseapps)
- [LetAppsAccessTasks_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesstasks_userincontroloftheseapps)
- [LetAppsAccessTrustedDevices](policy-csp-privacy.md#letappsaccesstrusteddevices)
- [LetAppsAccessTrustedDevices_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesstrusteddevices_forceallowtheseapps)
- [LetAppsAccessTrustedDevices_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesstrusteddevices_forcedenytheseapps)
- [LetAppsAccessTrustedDevices_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesstrusteddevices_userincontroloftheseapps)
- [LetAppsActivateWithVoice](policy-csp-privacy.md#letappsactivatewithvoice)
- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#letappsactivatewithvoiceabovelock)
- [LetAppsGetDiagnosticInfo](policy-csp-privacy.md#letappsgetdiagnosticinfo)
- [LetAppsGetDiagnosticInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsgetdiagnosticinfo_forceallowtheseapps)
- [LetAppsGetDiagnosticInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsgetdiagnosticinfo_forcedenytheseapps)
- [LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](policy-csp-privacy.md#letappsgetdiagnosticinfo_userincontroloftheseapps)
- [LetAppsRunInBackground](policy-csp-privacy.md#letappsruninbackground)
- [LetAppsRunInBackground_ForceAllowTheseApps](policy-csp-privacy.md#letappsruninbackground_forceallowtheseapps)
- [LetAppsRunInBackground_ForceDenyTheseApps](policy-csp-privacy.md#letappsruninbackground_forcedenytheseapps)
- [LetAppsRunInBackground_UserInControlOfTheseApps](policy-csp-privacy.md#letappsruninbackground_userincontroloftheseapps)
- [LetAppsSyncWithDevices](policy-csp-privacy.md#letappssyncwithdevices)
- [LetAppsSyncWithDevices_ForceAllowTheseApps](policy-csp-privacy.md#letappssyncwithdevices_forceallowtheseapps)
- [LetAppsSyncWithDevices_ForceDenyTheseApps](policy-csp-privacy.md#letappssyncwithdevices_forcedenytheseapps)
- [LetAppsSyncWithDevices_UserInControlOfTheseApps](policy-csp-privacy.md#letappssyncwithdevices_userincontroloftheseapps)
## RestrictedGroups
- [ConfigureGroupMembership](policy-csp-restrictedgroups.md#configuregroupmembership)
## Security
- [RecoveryEnvironmentAuthentication](policy-csp-security.md#recoveryenvironmentauthentication)
- [RequireProvisioningPackageSignature](policy-csp-security.md#requireprovisioningpackagesignature)
- [RequireRetrieveHealthCertificateOnBoot](policy-csp-security.md#requireretrievehealthcertificateonboot)
## Start
- [StartLayout](policy-csp-start.md#startlayout)
## System
- [AllowBuildPreview](policy-csp-system.md#allowbuildpreview)
- [AllowExperimentation](policy-csp-system.md#allowexperimentation)
- [AllowFontProviders](policy-csp-system.md#allowfontproviders)
- [AllowLocation](policy-csp-system.md#allowlocation)
- [AllowStorageCard](policy-csp-system.md#allowstoragecard)
- [AllowTelemetry](policy-csp-system.md#allowtelemetry)
## TextInput
- [AllowHardwareKeyboardTextSuggestions](policy-csp-textinput.md#allowhardwarekeyboardtextsuggestions)
- [AllowIMELogging](policy-csp-textinput.md#allowimelogging)
- [AllowIMENetworkAccess](policy-csp-textinput.md#allowimenetworkaccess)
- [AllowInputPanel](policy-csp-textinput.md#allowinputpanel)
- [AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#allowjapaneseimesurrogatepaircharacters)
- [AllowJapaneseIVSCharacters](policy-csp-textinput.md#allowjapaneseivscharacters)
- [AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#allowjapanesenonpublishingstandardglyph)
- [AllowJapaneseUserDictionary](policy-csp-textinput.md#allowjapaneseuserdictionary)
- [AllowKeyboardTextSuggestions](policy-csp-textinput.md#allowkeyboardtextsuggestions)
- [AllowLanguageFeaturesUninstall](policy-csp-textinput.md#allowlanguagefeaturesuninstall)
- [AllowLinguisticDataCollection](policy-csp-textinput.md#allowlinguisticdatacollection)
- [AllowTextInputSuggestionUpdate](policy-csp-textinput.md#allowtextinputsuggestionupdate)
- [ConfigureJapaneseIMEVersion](policy-csp-textinput.md#configurejapaneseimeversion)
- [ConfigureKoreanIMEVersion](policy-csp-textinput.md#configurekoreanimeversion)
- [ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#configuresimplifiedchineseimeversion)
- [ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#configuretraditionalchineseimeversion)
- [EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode)
- [ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#excludejapaneseimeexceptjis0208)
- [ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc)
- [ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis)
- [ForceTouchKeyboardDockedState](policy-csp-textinput.md#forcetouchkeyboarddockedstate)
- [TouchKeyboardDictationButtonAvailability](policy-csp-textinput.md#touchkeyboarddictationbuttonavailability)
- [TouchKeyboardEmojiButtonAvailability](policy-csp-textinput.md#touchkeyboardemojibuttonavailability)
- [TouchKeyboardFullModeAvailability](policy-csp-textinput.md#touchkeyboardfullmodeavailability)
- [TouchKeyboardHandwritingModeAvailability](policy-csp-textinput.md#touchkeyboardhandwritingmodeavailability)
- [TouchKeyboardNarrowModeAvailability](policy-csp-textinput.md#touchkeyboardnarrowmodeavailability)
- [TouchKeyboardSplitModeAvailability](policy-csp-textinput.md#touchkeyboardsplitmodeavailability)
- [TouchKeyboardWideModeAvailability](policy-csp-textinput.md#touchkeyboardwidemodeavailability)
## TimeLanguageSettings
- [ConfigureTimeZone](policy-csp-timelanguagesettings.md#configuretimezone)
## Update
- [ActiveHoursEnd](policy-csp-update.md#activehoursend)
- [ActiveHoursMaxRange](policy-csp-update.md#activehoursmaxrange)
- [ActiveHoursStart](policy-csp-update.md#activehoursstart)
- [AllowAutoUpdate](policy-csp-update.md#allowautoupdate)
- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md#allowautowindowsupdatedownloadovermeterednetwork)
- [AllowMUUpdateService](policy-csp-update.md#allowmuupdateservice)
- [AllowNonMicrosoftSignedUpdate](policy-csp-update.md#allownonmicrosoftsignedupdate)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [AllowUpdateService](policy-csp-update.md#allowupdateservice)
- [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel)
- [ConfigureFeatureUpdateUninstallPeriod](policy-csp-update.md#configurefeatureupdateuninstallperiod)
- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
- [DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays)
- [DeferUpdatePeriod](policy-csp-update.md#deferupdateperiod)
- [DeferUpgradePeriod](policy-csp-update.md#deferupgradeperiod)
- [DetectionFrequency](policy-csp-update.md#detectionfrequency)
- [DisableDualScan](policy-csp-update.md#disabledualscan)
- [DisableWUfBSafeguards](policy-csp-update.md#disablewufbsafeguards)
- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md#donotenforceenterprisetlscertpinningforupdatedetection)
- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md#excludewudriversinqualityupdate)
- [FillEmptyContentUrls](policy-csp-update.md#fillemptycontenturls)
- [IgnoreMOAppDownloadLimit](policy-csp-update.md#ignoremoappdownloadlimit)
- [IgnoreMOUpdateDownloadLimit](policy-csp-update.md#ignoremoupdatedownloadlimit)
- [ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds)
- [PauseDeferrals](policy-csp-update.md#pausedeferrals)
- [PauseFeatureUpdates](policy-csp-update.md#pausefeatureupdates)
- [PauseFeatureUpdatesStartTime](policy-csp-update.md#pausefeatureupdatesstarttime)
- [PauseQualityUpdates](policy-csp-update.md#pausequalityupdates)
- [PauseQualityUpdatesStartTime](policy-csp-update.md#pausequalityupdatesstarttime)
- [RequireDeferUpgrade](policy-csp-update.md#requiredeferupgrade)
- [RequireUpdateApproval](policy-csp-update.md#requireupdateapproval)
- [ScheduledInstallDay](policy-csp-update.md#scheduledinstallday)
- [ScheduledInstallEveryWeek](policy-csp-update.md#scheduledinstalleveryweek)
- [ScheduledInstallFirstWeek](policy-csp-update.md#scheduledinstallfirstweek)
- [ScheduledInstallFourthWeek](policy-csp-update.md#scheduledinstallfourthweek)
- [ScheduledInstallSecondWeek](policy-csp-update.md#scheduledinstallsecondweek)
- [ScheduledInstallThirdWeek](policy-csp-update.md#scheduledinstallthirdweek)
- [ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime)
- [SetPolicyDrivenUpdateSourceForDriverUpdates](policy-csp-update.md#setpolicydrivenupdatesourcefordriverupdates)
- [SetPolicyDrivenUpdateSourceForFeatureUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforfeatureupdates)
- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforotherupdates)
- [SetPolicyDrivenUpdateSourceForQualityUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforqualityupdates)
- [SetProxyBehaviorForUpdateDetection](policy-csp-update.md#setproxybehaviorforupdatedetection)
- [UpdateServiceUrl](policy-csp-update.md#updateserviceurl)
- [UpdateServiceUrlAlternate](policy-csp-update.md#updateserviceurlalternate)
## Wifi
- [AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing)
- [AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration)
- [AllowWiFi](policy-csp-wifi.md#allowwifi)
- [AllowWiFiDirect](policy-csp-wifi.md#allowwifidirect)
- [WLANScanMode](policy-csp-wifi.md#wlanscanmode)
## WirelessDisplay
- [AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#allowmdnsadvertisement)
- [AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#allowmdnsdiscovery)
- [AllowMovementDetectionOnInfrastructure](policy-csp-wirelessdisplay.md#allowmovementdetectiononinfrastructure)
- [AllowPCReceiverToBeTCPServer](policy-csp-wirelessdisplay.md#allowpcreceivertobetcpserver)
- [AllowPCSenderToBeTCPClient](policy-csp-wirelessdisplay.md#allowpcsendertobetcpclient)
- [AllowProjectionFromPC](policy-csp-wirelessdisplay.md#allowprojectionfrompc)
- [AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectionfrompcoverinfrastructure)
- [AllowProjectionToPC](policy-csp-wirelessdisplay.md#allowprojectiontopc)
- [AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectiontopcoverinfrastructure)
- [AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#allowuserinputfromwirelessdisplayreceiver)
- [RequirePinForPairing](policy-csp-wirelessdisplay.md#requirepinforpairing)
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

4
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the AboveLock Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -40,7 +40,7 @@ ms.topic: reference
<!-- AllowActionCenterNotifications-Description-Begin -->
<!-- Description-Source-DDF -->
This policy is deprecated
This policy is deprecated.
<!-- AllowActionCenterNotifications-Description-End -->
<!-- AllowActionCenterNotifications-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Accounts Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -37,7 +37,7 @@ ms.topic: reference
<!-- AllowAddingNonMicrosoftAccountsManually-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0
Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0.
> [!NOTE]
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the EMAIL2 CSP.
@ -138,10 +138,10 @@ Specifies whether the user is allowed to use an MSA account for non-email relate
<!-- AllowMicrosoftAccountSignInAssistant-Description-Begin -->
<!-- Description-Source-DDF -->
Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service
Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service.
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are.
> [!NOTE]
> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to "step-up" from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.

19
windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_AddRemovePrograms Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -110,7 +110,7 @@ You can use this setting to direct users to the programs they are most likely to
<!-- Description-Source-ADMX -->
Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
- If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users.
If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users.
This setting does not prevent users from using other tools and methods to add or remove program components.
@ -173,7 +173,7 @@ This setting does not prevent users from using other tools and methods to add or
<!-- Description-Source-ADMX -->
Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
- If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users.
If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users.
This setting does not prevent users from using other tools and methods to connect to Windows Update.
@ -305,7 +305,7 @@ Removes the Add New Programs button from the Add or Remove Programs bar. As a re
The Add New Programs button lets users install programs published or assigned by a system administrator.
- If you disable this setting or do not configure it, the Add New Programs button is available to all users.
If you disable this setting or do not configure it, the Add New Programs button is available to all users.
This setting does not prevent users from using other tools and methods to install programs.
<!-- NoAddPage-Description-End -->
@ -369,7 +369,7 @@ This setting removes Add or Remove Programs from Control Panel and removes the A
Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
- If you disable this setting or do not configure it, Add or Remove Programs is available to all users.
If you disable this setting or do not configure it, Add or Remove Programs is available to all users.
When enabled, this setting takes precedence over the other settings in this folder.
@ -433,7 +433,7 @@ Removes the Set Program Access and Defaults button from the Add or Remove Progra
The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
- If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users.
If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users.
This setting does not prevent users from using other tools and methods to change program access or defaults.
@ -497,7 +497,7 @@ Removes the Change or Remove Programs button from the Add or Remove Programs bar
The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
- If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users.
If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users.
This setting does not prevent users from using other tools and methods to delete or uninstall programs.
<!-- NoRemovePage-Description-End -->
@ -560,6 +560,7 @@ Prevents users from using Add or Remove Programs to configure installed services
This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
- If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services.
- If you enable this setting, "Set up services" never appears.
This setting does not prevent users from using other methods to configure services.
@ -627,7 +628,7 @@ Removes links to the Support Info dialog box from programs on the Change or Remo
Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
- If you disable this setting or do not configure it, the Support Info hyperlink appears.
If you disable this setting or do not configure it, the Support Info hyperlink appears.
> [!NOTE]
> Not all programs provide a support information hyperlink.
@ -690,7 +691,7 @@ Removes the Add/Remove Windows Components button from the Add or Remove Programs
The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
- If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users.
If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users.
This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
<!-- NoWindowsSetupPage-Description-End -->

5
windows/client-management/mdm/policy-csp-admx-appcompat.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_AppCompat Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -241,7 +241,8 @@ The Windows Resource Protection and User Account Control features of Windows use
This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes.
> [!NOTE]
> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes.
<!-- AppCompatTurnOffEngine-Description-End -->
<!-- AppCompatTurnOffEngine-Editable-Begin -->

3
windows/client-management/mdm/policy-csp-admx-auditsettings.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_AuditSettings Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -45,6 +45,7 @@ ms.topic: reference
This policy setting determines what information is logged in security audit events when a new process has been created.
This setting only applies when the Audit Process Creation policy is enabled.
- If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
- If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events.

4
windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_CipherSuiteOrder Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -117,7 +117,7 @@ NistP384
To See all the curves supported on the system, Use the following command:
CertUtil.exe -DisplayEccCurve
CertUtil.exe -DisplayEccCurve.
<!-- SSLCurveOrder-Description-End -->
<!-- SSLCurveOrder-Editable-Begin -->

5
windows/client-management/mdm/policy-csp-admx-controlpanel.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_ControlPanel Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
- If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
@ -120,6 +120,7 @@ This policy setting controls the default Control Panel view, whether by category
- If this policy setting is disabled, the Control Panel opens to the category view.
- If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session.
> [!NOTE]
> Icon size is dependent upon what the user has set it to in the previous session.
<!-- ForceClassicControlPanel-Description-End -->

20
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/13/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
Disables the Display Control Panel.
- If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.
If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.
Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
<!-- CPL_Display_Disable-Description-End -->
@ -537,7 +537,7 @@ Prevents users from changing the background image shown when the machine is lock
By default, users can change the background image shown when the machine is locked or displaying the logon screen.
- If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image.
If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image.
<!-- CPL_Personalization_NoChangingLockScreen-Description-End -->
<!-- CPL_Personalization_NoChangingLockScreen-Editable-Begin -->
@ -597,7 +597,7 @@ Prevents users from changing the look of their start menu background, such as it
By default, users can change the look of their start menu background, such as its color or accent.
- If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them.
If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them.
If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy.
@ -661,7 +661,7 @@ Disables the Color (or Window Color) page in the Personalization Control Panel,
This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows.
- If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel.
If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel.
For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel.
<!-- CPL_Personalization_NoColorAppearanceUI-Description-End -->
@ -723,7 +723,7 @@ Prevents users from adding or changing the background design of the desktop.
By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop.
- If you enable this setting, none of the Desktop Background settings can be changed by the user.
If you enable this setting, none of the Desktop Background settings can be changed by the user.
To specify wallpaper for a group, use the "Desktop Wallpaper" setting.
@ -790,7 +790,7 @@ Prevents users from changing the desktop icons.
By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons.
- If you enable this setting, none of the desktop icons can be changed by the user.
If you enable this setting, none of the desktop icons can be changed by the user.
For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel.
<!-- CPL_Personalization_NoDesktopIconsUI-Description-End -->
@ -912,7 +912,7 @@ Prevents users from changing the mouse pointers.
By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers.
- If you enable this setting, none of the mouse pointer scheme settings can be changed by the user.
If you enable this setting, none of the mouse pointer scheme settings can be changed by the user.
<!-- CPL_Personalization_NoMousePointersUI-Description-End -->
<!-- CPL_Personalization_NoMousePointersUI-Editable-Begin -->
@ -1030,7 +1030,7 @@ Prevents users from changing the sound scheme.
By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme.
- If you enable this setting, none of the Sound Scheme settings can be changed by the user.
If you enable this setting, none of the Sound Scheme settings can be changed by the user.
<!-- CPL_Personalization_NoSoundSchemeUI-Description-End -->
<!-- CPL_Personalization_NoSoundSchemeUI-Editable-Begin -->
@ -1090,7 +1090,7 @@ Forces Windows to use the specified colors for the background and accent. The co
By default, users can change the background and accent colors.
- If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
<!-- CPL_Personalization_PersonalColors-Description-End -->
<!-- CPL_Personalization_PersonalColors-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-credentialproviders.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_CredentialProviders Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -173,7 +173,7 @@ credential providers from use during authentication.
**Note** credential providers are used to process and validate user
credentials during logon or when authentication is required.
Windows Vista provides two default credential providers
Windows Vista provides two default credential providers:
Password and Smart Card. An administrator can install additional
credential providers for different sets of credentials
(for example, to support biometric authentication).

44
windows/client-management/mdm/policy-csp-admx-credssp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_CredSsp Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -50,7 +50,7 @@ This policy setting applies when server authentication was achieved by using a t
The policy becomes effective the next time the user signs on to a computer running Windows.
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
- If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
FWlink for KB:
<https://go.microsoft.com/fwlink/?LinkId=301508>
@ -61,7 +61,7 @@ FWlink for KB:
For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com.
<!-- AllowDefaultCredentials-Description-End -->
<!-- AllowDefaultCredentials-Editable-Begin -->
@ -123,7 +123,7 @@ This policy setting applies when server authentication was achieved via NTLM.
- If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine.
- If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine.
> [!NOTE]
> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -131,7 +131,7 @@ If you disable or do not configure (by default) this policy setting, delegation
For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com.
<!-- AllowDefCredentialsWhenNTLMOnly-Description-End -->
<!-- AllowDefCredentialsWhenNTLMOnly-Editable-Begin -->
@ -189,19 +189,19 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all
<!-- Description-Source-ADMX -->
Encryption Oracle Remediation
This policy setting applies to applications using the CredSSP component (for example Remote Desktop Connection).
This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection).
Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability.
- If you enable this policy setting, CredSSP version support will be selected based on the following options
If you enable this policy setting, CredSSP version support will be selected based on the following options:
Force Updated Clients Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. **Note** this setting should not be deployed until all remote hosts support the newest version.
Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. **Note** this setting should not be deployed until all remote hosts support the newest version.
Mitigated Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
Vulnerable Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.
Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.
For more information about the vulnerability and servicing requirements for protection, see <https//go.microsoft.com/fwlink/?linkid=866660>
For more information about the vulnerability and servicing requirements for protection, see <https://go.microsoft.com/fwlink/?linkid=866660>
<!-- AllowEncryptionOracle-Description-End -->
<!-- AllowEncryptionOracle-Editable-Begin -->
@ -262,7 +262,7 @@ This policy setting applies when server authentication was achieved via a truste
- If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
@ -273,7 +273,7 @@ For Example:
TERMSRV/host.humanresources.fabrikam.com
Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com.
<!-- AllowFreshCredentials-Description-End -->
<!-- AllowFreshCredentials-Editable-Begin -->
@ -335,7 +335,7 @@ This policy setting applies when server authentication was achieved via NTLM.
- If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
@ -345,7 +345,7 @@ If you do not configure (by default) this policy setting, after proper mutual au
For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com.
<!-- AllowFreshCredentialsWhenNTLMOnly-Description-End -->
<!-- AllowFreshCredentialsWhenNTLMOnly-Editable-Begin -->
@ -407,7 +407,7 @@ This policy setting applies when server authentication was achieved via a truste
- If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
@ -417,7 +417,7 @@ If you do not configure (by default) this policy setting, after proper mutual au
For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com.
<!-- AllowSavedCredentials-Description-End -->
<!-- AllowSavedCredentials-Editable-Begin -->
@ -479,7 +479,7 @@ This policy setting applies when server authentication was achieved via NTLM.
- If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine.
- If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine.
- If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
@ -489,7 +489,7 @@ If you do not configure (by default) this policy setting, after proper mutual au
For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com.
<!-- AllowSavedCredentialsWhenNTLMOnly-Description-End -->
<!-- AllowSavedCredentialsWhenNTLMOnly-Editable-Begin -->
@ -549,7 +549,7 @@ This policy setting applies to applications using the Cred SSP component (for ex
- If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
- If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
> [!NOTE]
> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -619,7 +619,7 @@ This policy setting applies to applications using the Cred SSP component (for ex
- If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
- If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
> [!NOTE]
> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -689,7 +689,7 @@ This policy setting applies to applications using the Cred SSP component (for ex
- If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
- If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
> [!NOTE]
> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.

4
windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_CtrlAltDel Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
This policy setting prevents users from changing their Windows password on demand.
- If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.
If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.
However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
<!-- DisableChangePassword-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-datacollection.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_DataCollection Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
This policy setting defines the identifier used to uniquely associate this device's diagnostic data data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
- If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data data with your organization.
If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data data with your organization.
<!-- CommercialIdPolicy-Description-End -->
<!-- CommercialIdPolicy-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-dcom.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_DCOM Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -107,7 +107,7 @@ Allows you to specify that local computer administrators can supplement the "Def
<!-- Description-Source-ADMX -->
Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled.
DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors.
DCOM server appids added to this policy must be listed in curly-brace format. For Example: `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors.
- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings.

14
windows/client-management/mdm/policy-csp-admx-desktop.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Desktop Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -233,7 +233,7 @@ Enables Active Desktop and prevents users from disabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
- If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored.
@ -296,7 +296,7 @@ Disables Active Desktop and prevents users from enabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
- If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored.
@ -1098,7 +1098,7 @@ Removes the Properties option from the Recycle Bin context menu.
<!-- Description-Source-ADMX -->
Prevents users from saving certain changes to the desktop.
- If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved.
If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved.
<!-- NoSaveSettings-Description-End -->
<!-- NoSaveSettings-Editable-Begin -->
@ -1343,7 +1343,7 @@ Prevents users from removing Web content from their Active Desktop.
In Active Desktop, you can add items to the desktop but close them so they are not displayed.
- If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.
If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.
> [!NOTE]
> This setting does not prevent users from deleting items from their Active Desktop.
@ -1585,7 +1585,7 @@ This setting removes all Active Desktop items from the desktop. It also removes
<!-- Description-Source-ADMX -->
Prevents users from manipulating desktop toolbars.
- If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.
If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.
> [!NOTE]
> If users have added or removed toolbars, this setting prevents them from restoring the default configuration.
@ -1776,7 +1776,7 @@ This setting lets you specify the wallpaper on users' desktops and prevents user
To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification.
- If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel.

7
windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_DeviceInstallation Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -45,6 +45,7 @@ ms.topic: reference
This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.
- If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device.
- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
- If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
@ -345,9 +346,11 @@ This policy setting establishes the amount of time (in seconds) that the system
<!-- Description-Source-ADMX -->
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.
NOTE: To enable the "Allow installation of devices using drivers that match these device setup classes", "Allow installation of devices that match any of these device IDs", and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
> [!NOTE]
> To enable the "Allow installation of devices using drivers that match these device setup classes", "Allow installation of devices that match any of these device IDs", and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
- If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated.
- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
- If you disable or do not configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings.

6
windows/client-management/mdm/policy-csp-admx-diskquota.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_DiskQuota Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -189,7 +189,7 @@ This setting overrides new users' settings for the disk quota limit and warning
This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
- If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level.
If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level.
When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.
@ -384,7 +384,7 @@ This policy setting does not affect the Quota Entries window on the Quota tab. E
<!-- Description-Source-ADMX -->
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media.
- If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only
If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
> [!NOTE]
> When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media.

5
windows/client-management/mdm/policy-csp-admx-errorreporting.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_ErrorReporting Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -243,6 +243,7 @@ This policy setting does not enable or disable Windows Error Reporting. To turn
> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting.
- If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel).
- If you enable this policy setting, you can configure the following settings in the policy setting:
- "Do not display links to any Microsoft 'More information' websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites.
@ -1425,6 +1426,7 @@ This policy setting turns off Windows Error Reporting, so that reports are not c
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE.
- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
- If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
@ -1485,6 +1487,7 @@ This policy setting limits Windows Error Reporting behavior for errors in genera
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE.
- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
- If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.

4
windows/client-management/mdm/policy-csp-admx-eventlog.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventLog Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -973,7 +973,7 @@ This policy setting controls Event Log behavior when the log file reaches its ma
<!-- Description-Source-ADMX -->
This policy setting turns on logging.
- If you enable or do not configure this policy setting, then events can be written to this log.
If you enable or do not configure this policy setting, then events can be written to this log.
If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
<!-- Channel_LogEnabled-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-eventviewer.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventViewer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -97,7 +97,7 @@ This is the program that will be invoked when the user clicks the events.asp lin
<!-- EventViewer_RedirectionProgramCommandLineParameters-Description-Begin -->
<!-- Description-Source-ADMX -->
This specifies the command line parameters that will be passed to the events.asp program
This specifies the command line parameters that will be passed to the events.asp program.
<!-- EventViewer_RedirectionProgramCommandLineParameters-Description-End -->
<!-- EventViewer_RedirectionProgramCommandLineParameters-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-explorer.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Explorer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -165,7 +165,7 @@ This policy setting configures File Explorer to always display the menu bar.
<!-- Description-Source-ADMX -->
This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values.
- If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur.
If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur.
<!-- DisableRoamedProfileInit-Description-End -->
<!-- DisableRoamedProfileInit-Editable-Begin -->

9
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_FileSys Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.
A reboot is required for this setting to take effect
A reboot is required for this setting to take effect.
<!-- DisableCompression-Description-End -->
<!-- DisableCompression-Editable-Begin -->
@ -161,7 +161,7 @@ A value of 1 will disable delete notifications for all volumes.
<!-- Description-Source-ADMX -->
Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files.
A reboot is required for this setting to take effect
A reboot is required for this setting to take effect.
<!-- DisableEncryption-Description-End -->
<!-- DisableEncryption-Editable-Begin -->
@ -395,7 +395,8 @@ Remote Link to Local Target
For further information please refer to the Windows Help section
NOTE: If this policy is Disabled or Not Configured, local administrators may select the types of symbolic links to be evaluated.
> [!NOTE]
> If this policy is Disabled or Not Configured, local administrators may select the types of symbolic links to be evaluated.
<!-- SymlinkEvaluation-Description-End -->
<!-- SymlinkEvaluation-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-folderredirection.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_FolderRedirection Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -115,7 +115,7 @@ This policy setting allows you to control whether individual redirected shell fo
For the folders affected by this setting, users must manually select the files they wish to make available offline.
- If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline.
If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline.
> [!NOTE]
> This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface.

8
windows/client-management/mdm/policy-csp-admx-framepanes.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_FramePanes Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,9 +44,9 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
This policy setting shows or hides the Details Pane in File Explorer.
- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user.
If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user.
- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user
If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user.
> [!NOTE]
> This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time.
@ -108,7 +108,7 @@ If you disable, or do not configure this policy setting, the Details Pane is hid
<!-- Description-Source-ADMX -->
Hides the Preview Pane in File Explorer.
- If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user.
If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user.
If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
<!-- NoReadingPane-Description-End -->

27
windows/client-management/mdm/policy-csp-admx-grouppolicy.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_GroupPolicy Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -47,10 +47,10 @@ This policy setting allows user-based policy processing, roaming user profiles,
This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists.
- If you do not configure this policy setting:
- No user-based policy settings are applied from the user's forest.
- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted.
- Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer.
- An event log message (1109) is posted, stating that loopback was invoked in Replace mode.
- No user-based policy settings are applied from the user's forest.
- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted.
- Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer.
- An event log message (1109) is posted, stating that loopback was invoked in Replace mode.
- If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest.
@ -1117,7 +1117,8 @@ Changing the status of this setting to Enabled will keep any source files from c
Changing the status of this setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp.
NOTE: If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled.
> [!NOTE]
> If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled.
<!-- DisableAutoADMUpdate-Description-End -->
<!-- DisableAutoADMUpdate-Editable-Begin -->
@ -1496,6 +1497,7 @@ The timeout value that is defined in this policy setting determines how long Gro
<!-- EnableLogonOptimizationOnServerSKU-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure Group Policy caching behavior on Windows Server machines.
- If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.)
The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds.
The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds.
@ -1819,7 +1821,7 @@ The system's response to a slow policy connection varies among policies. The pro
This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile
Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile.
> [!NOTE]
> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
@ -1889,7 +1891,7 @@ The system's response to a slow policy connection varies among policies. The pro
This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile
Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile.
> [!NOTE]
> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
@ -2231,7 +2233,7 @@ This setting allows you to specify the default name for new Group Policy objects
The display name can contain environment variables and can be a maximum of 255 characters long.
- If this setting is disabled or Not Configured, the default display name of New Group Policy object is used.
If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used.
<!-- NewGPODisplayName-Description-End -->
<!-- NewGPODisplayName-Editable-Begin -->
@ -2694,12 +2696,10 @@ This policy directs Group Policy processing to skip processing any client side e
- If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner.
Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials,
which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available.
> [!NOTE]
> that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection
**Note** that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection
and Drive Maps preference extension will not be applied.
> [!NOTE]
> There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled:
**Note** There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled:
1 - At the first computer startup after the client computer has joined the domain.
2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled.
@ -2821,6 +2821,7 @@ This policy setting specifies how long Group Policy should wait for network avai
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
By default, the user's Group Policy Objects determine which user settings apply.
- If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
- If you enable this setting, you can select one of the following modes from the Mode box:

6
windows/client-management/mdm/policy-csp-admx-help.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Help Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -187,7 +187,7 @@ This policy setting allows you to restrict programs from being run from online H
> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings.
> [!NOTE]
> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help
> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help.
<!-- RestrictRunFromHelp-Description-End -->
<!-- RestrictRunFromHelp-Editable-Begin -->
@ -252,7 +252,7 @@ This policy setting allows you to restrict programs from being run from online H
> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings.
> [!NOTE]
> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help
> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help.
<!-- RestrictRunFromHelp_Comp-Description-End -->
<!-- RestrictRunFromHelp_Comp-Editable-Begin -->

3
windows/client-management/mdm/policy-csp-admx-iis.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_IIS Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -43,6 +43,7 @@ ms.topic: reference
<!-- PreventIISInstall-Description-Begin -->
<!-- Description-Source-ADMX -->
"This policy setting prevents installation of Internet Information Services (IIS) on this computer.
- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer.
- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run."
<!-- PreventIISInstall-Description-End -->

12
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_kdc Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -59,8 +59,8 @@ Domain functional level requirements
For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected.
When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and:
- If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST).
- If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages.
- If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST).
- If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages.
> [!WARNING]
> When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller.
@ -68,9 +68,9 @@ When the domain functional level is set to Windows Server 2012 then the domain c
To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled).
Impact on domain controller performance when this policy setting is enabled:
- Secure Kerberos domain capability discovery is required resulting in additional message exchanges.
- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size.
- Secure Kerberos domain capability discovery is required resulting in additional message exchanges.
- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size.
<!-- CbacAndArmor-Description-End -->
<!-- CbacAndArmor-Editable-Begin -->

3
windows/client-management/mdm/policy-csp-admx-kerberos.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Kerberos Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -237,6 +237,7 @@ This policy setting allows you to specify which DNS host names and which DNS suf
This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.
- If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections.
> [!WARNING]
> When revocation check is ignored, the server represented by the certificate is not guaranteed valid.

6
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -49,8 +49,8 @@ This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses
- If you disable this policy setting, the DPS is not able to diagnose memory leak problems.
This policy setting takes effect only under the following conditions:
- If the diagnostics-wide scenario execution policy is not configured.
- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
- If the diagnostics-wide scenario execution policy is not configured.
- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
> [!NOTE]
> The DPS can be configured with the Services snap-in to the Microsoft Management Console.

10
windows/client-management/mdm/policy-csp-admx-logon.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Logon Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -839,15 +839,15 @@ If a user with a roaming profile, home directory, or user object logon script lo
On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup).
If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon
- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and
- The "Allow asynchronous user Group Policy processing when logging on through Terminal Services" policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\.
If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon:
- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and
- The "Allow asynchronous user Group Policy processing when logging on through Terminal Services" policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\.
If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon).
- If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background.
**Note**
**Note**:
-If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy.
-If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available.
<!-- SyncForegroundPolicy-Description-End -->

47
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -589,7 +589,7 @@ This policy setting allows you to disable scheduled and real-time scanning for f
<!-- Exclusions_Processes-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as "c\windows\app.exe". The value is not used and it is recommended that this be set to 0.
This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
<!-- Exclusions_Processes-Description-End -->
<!-- Exclusions_Processes-Editable-Begin -->
@ -650,8 +650,8 @@ Exclude files and paths from Attack Surface Reduction (ASR) rules.
Enabled:
Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
Enter each rule on a new line as a name-value pair:
- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder
- Value column: Enter "0" for each item
- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder
- Value column: Enter "0" for each item
Disabled:
No exclusions will be applied to the ASR rules.
@ -718,26 +718,26 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
Set the state for each Attack Surface Reduction (ASR) rule.
After enabling this setting, you can set each rule to the following in the Options section:
- Block: the rule will be applied
- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
- Off: the rule will not be applied
- Not Configured: the rule is enabled with default values
- Warn: the rule will be applied and the end-user will have the option to bypass the block
- Block: the rule will be applied
- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
- Off: the rule will not be applied
- Not Configured: the rule is enabled with default values
- Warn: the rule will be applied and the end-user will have the option to bypass the block
Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured.
Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules with the value of not configured.
Enabled:
Specify the state for each ASR rule under the Options section for this setting.
Enter each rule on a new line as a name-value pair:
- Name column: Enter a valid ASR rule ID
- Value column: Enter the status ID that relates to state you want to specify for the associated rule
- Name column: Enter a valid ASR rule ID
- Value column: Enter the status ID that relates to state you want to specify for the associated rule
The following status IDs are permitted under the value column:
- 1 (Block)
- 0 (Off)
- 2 (Audit)
- 5 (Not Configured)
- 6 (Warn)
- 1 (Block)
- 0 (Off)
- 2 (Audit)
- 5 (Not Configured)
- 6 (Warn)
Example:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
@ -1511,6 +1511,7 @@ This policy setting defines the number of days items should be kept in the Quara
This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours.
- If you disable or do not configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours.
<!-- RandomizeScheduleTaskTimes-Description-End -->
@ -2823,7 +2824,7 @@ Tracing levels are defined as:
1 - Error
2 - Warning
3 - Info
4 - Debug
4 - Debug.
<!-- Reporting_WppTracingLevel-Description-End -->
<!-- Reporting_WppTracingLevel-Editable-Begin -->
@ -4742,7 +4743,7 @@ This policy setting allows you to configure security intelligence updates on sta
<!-- Description-Source-ADMX -->
This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares"
For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
For Example: `{ InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }`
- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
@ -5054,7 +5055,7 @@ This policy setting allows you to specify the time of day at which to check for
<!-- Description-Source-ADMX -->
This policy setting allows you to define the security intelligence location for VDI-configured computers.
- If you disable or do not configure this setting, security intelligence will be referred from the default local source.
If you disable or do not configure this setting, security intelligence will be referred from the default local source.
<!-- SignatureUpdate_SharedSignaturesLocation-Description-End -->
<!-- SignatureUpdate_SharedSignaturesLocation-Editable-Begin -->
@ -5427,7 +5428,7 @@ This policy setting customize which remediation action will be taken for each li
Valid remediation action values are:
2 = Quarantine
3 = Remove
6 = Ignore
6 = Ignore.
<!-- Threats_ThreatIdDefaultAction-Description-End -->
<!-- Threats_ThreatIdDefaultAction-Editable-Begin -->
@ -5603,7 +5604,7 @@ Use this policy setting to specify if you want Microsoft Defender Antivirus noti
<!-- Description-Source-ADMX -->
This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode).
- If you enable this setting AM UI won't show reboot notifications.
If you enable this setting AM UI won't show reboot notifications.
<!-- UX_Configuration_SuppressRebootNotification-Description-End -->
<!-- UX_Configuration_SuppressRebootNotification-Editable-Begin -->
@ -5660,7 +5661,7 @@ This policy setting allows user to supress reboot notifications in UI only mode
<!-- UX_Configuration_UILockdown-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure whether or not to display AM UI to the users.
- If you enable this setting AM UI won't be available to users.
If you enable this setting AM UI won't be available to users.
<!-- UX_Configuration_UILockdown-Description-End -->
<!-- UX_Configuration_UILockdown-Editable-Begin -->

10
windows/client-management/mdm/policy-csp-admx-mmc.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MMC Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
Permits or prohibits use of this snap-in.
- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
@ -114,7 +114,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!-- Description-Source-ADMX -->
Permits or prohibits use of this snap-in.
- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
@ -184,7 +184,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!-- Description-Source-ADMX -->
Permits or prohibits use of this snap-in.
- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
@ -260,7 +260,7 @@ As a result, users cannot create console files or add or remove snap-ins. Also,
This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console window from a command prompt.
- If you disable this setting or do not configure it, users can enter author mode and open author-mode console files.
If you disable this setting or do not configure it, users can enter author mode and open author-mode console files.
<!-- MMC_Restrict_Author-Description-End -->
<!-- MMC_Restrict_Author-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MMCSnapins Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2564,7 +2564,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!-- Description-Source-ADMX -->
Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins.
- If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins.
If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed.

3
windows/client-management/mdm/policy-csp-admx-msapolicy.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSAPolicy Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -43,6 +43,7 @@ ms.topic: reference
<!-- MicrosoftAccount_DisableUserAuth-Description-Begin -->
<!-- Description-Source-ADMX -->
This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
- If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.

3
windows/client-management/mdm/policy-csp-admx-msdt.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSDT Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -115,6 +115,7 @@ Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by
These tools are required to completely troubleshoot the problem. If tool download is restricted, it may not be possible to find the root cause of the problem.
- If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only.
- If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading.
- If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers.

10
windows/client-management/mdm/policy-csp-admx-msi.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -551,7 +551,7 @@ Also, see the "Enable user to use media source while elevated" and "Hide the 'Ad
<!-- Description-Source-ADMX -->
This policy setting restricts the use of Windows Installer.
- If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.
If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.
- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured.
@ -681,7 +681,7 @@ Also, see the "Enable user to patch elevated products" policy setting.
<!-- Description-Source-ADMX -->
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential.
@ -743,7 +743,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!-- Description-Source-ADMX -->
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential.
@ -1303,7 +1303,7 @@ When you enable this policy setting, you can specify the types of events you wan
To disable logging, delete all of the letters from the box.
- If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap."
If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap."
<!-- MSILogging-Description-End -->
<!-- MSILogging-Editable-Begin -->

6
windows/client-management/mdm/policy-csp-admx-nca.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_nca Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -56,7 +56,7 @@ We recommend that you use FQDNs instead of IPv6 addresses wherever possible.
At least one of the entries must be a PING: resource.
- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:<https://myserver.corp.contoso.com/> or HTTP:https://2002:836b:1::1/.
- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
@ -290,7 +290,7 @@ If this setting is not configured, the string that appears for DirectAccess conn
<!-- Description-Source-ADMX -->
Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. **Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the [Name Resolution Policy Table](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593632(v=ws.11)) (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. **Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
The ability to disconnect allows users to specify single-label, unqualified names (such as "PRINTSVR") for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet.

15
windows/client-management/mdm/policy-csp-admx-ncsi.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_NCSI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -47,6 +47,8 @@ This policy setting enables you to specify the expected address of the host name
<!-- NCSI_CorpDnsProbeContent-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This applies exclusively to DirectAccess clients.
<!-- NCSI_CorpDnsProbeContent-Editable-End -->
<!-- NCSI_CorpDnsProbeContent-DFProperties-Begin -->
@ -102,6 +104,8 @@ This policy setting enables you to specify the host name of a computer known to
<!-- NCSI_CorpDnsProbeHost-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This applies exclusively to DirectAccess clients.
<!-- NCSI_CorpDnsProbeHost-Editable-End -->
<!-- NCSI_CorpDnsProbeHost-DFProperties-Begin -->
@ -157,6 +161,8 @@ This policy setting enables you to specify the list of IPv6 corporate site prefi
<!-- NCSI_CorpSitePrefixes-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This applies exclusively to DirectAccess clients.
<!-- NCSI_CorpSitePrefixes-Editable-End -->
<!-- NCSI_CorpSitePrefixes-DFProperties-Begin -->
@ -212,6 +218,8 @@ This policy setting enables you to specify the URL of the corporate website, aga
<!-- NCSI_CorpWebProbeUrl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This applies exclusively to DirectAccess clients.
<!-- NCSI_CorpWebProbeUrl-Editable-End -->
<!-- NCSI_CorpWebProbeUrl-DFProperties-Begin -->
@ -267,6 +275,8 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit
<!-- NCSI_DomainLocationDeterminationUrl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Azure AD only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
<!-- NCSI_DomainLocationDeterminationUrl-Editable-End -->
<!-- NCSI_DomainLocationDeterminationUrl-DFProperties-Begin -->
@ -317,8 +327,7 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit
<!-- NCSI_GlobalDns-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on.
- If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
<!-- NCSI_GlobalDns-Description-End -->
<!-- NCSI_GlobalDns-Editable-Begin -->

27
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Netlogon Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -54,7 +54,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_AddressLookupOnPingBehavior-Description-End -->
<!-- Netlogon_AddressLookupOnPingBehavior-Editable-Begin -->
@ -955,7 +955,7 @@ DCs configured to perform dynamic registration of the DC Locator DNS resource re
To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes).
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_DnsRefreshInterval-Description-End -->
<!-- Netlogon_DnsRefreshInterval-Editable-Begin -->
@ -1082,7 +1082,7 @@ This policy setting specifies the value for the Time-To-Live (TTL) field in SRV
To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes).
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_DnsTtl-Description-End -->
<!-- Netlogon_DnsTtl-Editable-Begin -->
@ -1141,7 +1141,7 @@ This policy setting specifies the additional time for the computer to wait for t
To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_ExpectedDialupDelay-Description-End -->
<!-- Netlogon_ExpectedDialupDelay-Editable-Begin -->
@ -1265,7 +1265,7 @@ The GC Locator DNS records and the site-specific SRV records are dynamically reg
To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format.
- If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
<!-- Netlogon_GcSiteCoverage-Description-End -->
<!-- Netlogon_GcSiteCoverage-Editable-Begin -->
@ -1391,7 +1391,7 @@ The Priority field in the SRV record sets the preference for target hosts (speci
To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_LdapSrvPriority-Description-End -->
<!-- Netlogon_LdapSrvPriority-Editable-Begin -->
@ -1452,7 +1452,7 @@ The Weight field in the SRV record can be used in addition to the Priority value
To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_LdapSrvWeight-Description-End -->
<!-- Netlogon_LdapSrvWeight-Editable-Begin -->
@ -1510,6 +1510,7 @@ To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
By default, the maximum size of the log file is 20MB.
- If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
- If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
@ -1573,7 +1574,7 @@ The application directory partition DC Locator DNS records and the site-specific
To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_NdncSiteCoverage-Description-End -->
<!-- Netlogon_NdncSiteCoverage-Editable-Begin -->
@ -1823,7 +1824,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2.
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_PingUrgencyMode-Description-End -->
<!-- Netlogon_PingUrgencyMode-Editable-Begin -->
@ -1949,7 +1950,7 @@ The DC Locator DNS records are dynamically registered by the Net Logon service,
To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_SiteCoverage-Description-End -->
<!-- Netlogon_SiteCoverage-Editable-Begin -->
@ -2010,7 +2011,7 @@ An Active Directory site is one or more well-connected TCP/IP subnets that allow
To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory.
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_SiteName-Description-End -->
<!-- Netlogon_SiteName-Editable-Begin -->
@ -2076,7 +2077,7 @@ By default, the SYSVOL share will grant shared read access to files on the share
> [!NOTE]
> The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
<!-- Netlogon_SysvolShareCompatibilityMode-Description-End -->
<!-- Netlogon_SysvolShareCompatibilityMode-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-admx-networkconnections.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_NetworkConnections Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -544,7 +544,7 @@ Specifies whether or not the "local access only" network icon will be shown.
When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only.
- If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only.
If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only.
<!-- NC_DoNotShowLocalOnlyIcon-Description-End -->
<!-- NC_DoNotShowLocalOnlyIcon-Editable-Begin -->
@ -950,6 +950,7 @@ This setting determines whether the Properties menu item is enabled, and thus, w
> [!NOTE]
> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box.
- If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users.
> [!NOTE]
@ -1378,6 +1379,7 @@ This setting determines whether the Properties menu item is enabled, and thus, w
> [!NOTE]
> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box.
- If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users.
> [!NOTE]
@ -1445,7 +1447,7 @@ To create an all-user connection, on the Connection Availability page in the New
- If you disable this setting, the Rename option is disabled for nonadministrators only.
If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections.
- If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections.
> [!NOTE]
> This setting does not apply to Administrators

16
windows/client-management/mdm/policy-csp-admx-offlinefiles.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1642,7 +1642,7 @@ Hides or displays reminder balloons, and prevents users from changing the settin
Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.
- If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.
If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.
If you disable the setting, the system displays the reminder balloons and prevents users from hiding them.
@ -1713,7 +1713,7 @@ Hides or displays reminder balloons, and prevents users from changing the settin
Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.
- If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.
If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.
If you disable the setting, the system displays the reminder balloons and prevents users from hiding them.
@ -1847,7 +1847,7 @@ Deletes local copies of the user's offline files when the user logs off.
This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files.
- If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use.
If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use.
> [!CAUTION]
> Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost.
@ -1968,7 +1968,7 @@ This policy setting allows you to turn on economical application of administrati
<!-- Description-Source-ADMX -->
Determines how often reminder balloon updates appear.
- If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.
@ -2032,7 +2032,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!-- Description-Source-ADMX -->
Determines how often reminder balloon updates appear.
- If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.
@ -2744,7 +2744,7 @@ Determines whether offline files are synchonized before a computer is suspended.
- If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version.
If you disable or do not configuring this setting, files are not synchronized when the computer is suspended.
- If you disable or do not configuring this setting, files are not synchronized when the computer is suspended.
> [!NOTE]
> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed.
@ -2806,7 +2806,7 @@ Determines whether offline files are synchonized before a computer is suspended.
- If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version.
If you disable or do not configuring this setting, files are not synchronized when the computer is suspended.
- If you disable or do not configuring this setting, files are not synchronized when the computer is suspended.
> [!NOTE]
> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed.

7
windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -261,10 +261,9 @@ Hosted cache clients must trust the server certificate that is issued to the hos
<!-- EnableWindowsBranchCache_HostedCacheDiscovery-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site.
- If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
- If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy.
If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy.
When this policy setting is applied, the client computer performs or does not perform automatic hosted cache server discovery under the following circumstances:

13
windows/client-management/mdm/policy-csp-admx-printing.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Printing Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -242,6 +242,7 @@ Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Opt
<!-- DomainPrinters-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.)
- If this policy setting is disabled, the network scan page will not be displayed.
@ -258,6 +259,7 @@ In order to view available Web Services printers on your network, ensure that ne
If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0.
In Windows 10 and later, only TCP/IP printers can be shown in the wizard.
- If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied.
In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
@ -577,7 +579,7 @@ Adds a link to an Internet or intranet Web page to the Add Printer Wizard.
You can use this setting to direct users to a Web page from which they can install printers.
- If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers.
If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers.
This setting makes it easy for users to find the printers you want them to add.
@ -823,13 +825,14 @@ Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default
<!-- NoDeletePrinter-Description-Begin -->
<!-- Description-Source-ADMX -->
- If this policy setting is enabled, it prevents users from deleting local and network printers.
If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action.
This setting does not prevent users from running other programs to delete a printer.
If this policy is disabled, or not configured, users can delete printers using the methods described above.
- If this policy is disabled, or not configured, users can delete printers using the methods described above.
<!-- NoDeletePrinter-Description-End -->
<!-- NoDeletePrinter-Editable-Begin -->
@ -898,6 +901,7 @@ Shared printers: 50
If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0.
In Windows 10 and later, only TCP/IP printers can be shown in the wizard.
- If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied.
In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
@ -1204,6 +1208,7 @@ Windows Vista and later clients will attempt to make a non-package point and pri
<!-- PhysicalLocation-Description-Begin -->
<!-- Description-Source-ADMX -->
- If this policy setting is enabled, it specifies the default location criteria used when searching for printers.
This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting.
@ -1463,7 +1468,7 @@ Specifies the Active Directory location where searches for printers begin.
The Add Printer Wizard gives users the option of searching Active Directory for a shared printer.
- If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory.
If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory.
This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory.
<!-- PrinterDirectorySearchScope-Description-End -->

6
windows/client-management/mdm/policy-csp-admx-printing2.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Printing2 Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -251,7 +251,7 @@ By default, the pruning service contacts computers every eight hours and allows
- If you enable this setting, you can change the interval between contact attempts.
If you do not configure or disable this setting the default values will be used.
- If you do not configure or disable this setting the default values will be used.
> [!NOTE]
> This setting is used only on domain controllers.
@ -381,7 +381,7 @@ By default, the pruning service contacts computers every eight hours and allows
- If you enable this setting, you can change the interval between attempts.
If you do not configure or disable this setting, the default values are used.
- If you do not configure or disable this setting, the default values are used.
> [!NOTE]
> This setting is used only on domain controllers.

12
windows/client-management/mdm/policy-csp-admx-programs.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Programs Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -46,7 +46,7 @@ This setting removes the Set Program Access and Defaults page from the Programs
The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations.
- If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users.
If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users.
This setting does not prevent users from using other tools and methods to change program access or defaults.
@ -177,7 +177,7 @@ This setting prevents users from accessing "Installed Updates" page from the "Vi
"Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers.
- If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users.
If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users.
This setting does not prevent users from using other tools and methods to install or uninstall programs.
<!-- NoInstalledUpdates-Description-End -->
@ -237,7 +237,7 @@ This setting does not prevent users from using other tools and methods to instal
<!-- Description-Source-ADMX -->
This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer.
- If this setting is disabled or not configured, "Programs and Features" will be available to all users.
If this setting is disabled or not configured, "Programs and Features" will be available to all users.
This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace.
<!-- NoProgramsAndFeatures-Description-End -->
@ -299,7 +299,7 @@ This setting prevents users from using the Programs Control Panel in Category Vi
The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel.
- If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users.
If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users.
When enabled, this setting takes precedence over the other settings in this folder.
@ -361,7 +361,7 @@ This setting does not prevent users from using other tools and methods to instal
<!-- Description-Source-ADMX -->
This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services.
- If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users.
If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users.
This setting does not prevent users from using other tools and methods to configure services or enable or disable program components.
<!-- NoWindowsFeatures-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_PushToInstall Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -42,7 +42,7 @@ ms.topic: reference
<!-- DisablePushToInstall-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web.
If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web.
<!-- DisablePushToInstall-Description-End -->
<!-- DisablePushToInstall-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-rpc.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_RPC Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -273,7 +273,7 @@ This policy setting determines whether the RPC Runtime maintains RPC state infor
- If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information.
- "None" indicates that the system does not maintain any RPC state information
- "None" indicates that the system does not maintain any RPC state information.
> [!NOTE]
> Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations.

18
windows/client-management/mdm/policy-csp-admx-sam.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_sam Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,19 +44,19 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.
For more information on the ROCA vulnerability, please see
For more information on the ROCA vulnerability, please see:
<https//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361>
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361>
<https//en.wikipedia.org/wiki/ROCA_vulnerability>
<https://en.wikipedia.org/wiki/ROCA_vulnerability>
- If you enable this policy setting the following options are supported
If you enable this policy setting the following options are supported:
Ignore during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.
Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.
Audit during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).
Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).
Block during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).
Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).
This setting only takes effect on domain controllers.
@ -66,7 +66,7 @@ A reboot is not required for changes to this setting to take effect.
**Note** to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.
More information is available at <https//go.microsoft.com/fwlink/?linkid=2116430>.
More information is available at< https://go.microsoft.com/fwlink/?linkid=2116430>.
<!-- SamNGCKeyROCAValidation-Description-End -->
<!-- SamNGCKeyROCAValidation-Editable-Begin -->

20
windows/client-management/mdm/policy-csp-admx-settingsync.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_SettingSync Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "app settings" group will not be synced.
If you enable this policy setting, the "app settings" group will not be synced.
Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled.
@ -106,7 +106,7 @@ If you do not set or disable this setting, syncing of the "app settings" group i
<!-- Description-Source-ADMX -->
Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "AppSync" group will not be synced.
If you enable this policy setting, the "AppSync" group will not be synced.
Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled.
@ -168,7 +168,7 @@ If you do not set or disable this setting, syncing of the "AppSync" group is on
<!-- Description-Source-ADMX -->
Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "passwords" group will not be synced.
If you enable this policy setting, the "passwords" group will not be synced.
Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled.
@ -230,7 +230,7 @@ If you do not set or disable this setting, syncing of the "passwords" group is o
<!-- Description-Source-ADMX -->
Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "desktop personalization" group will not be synced.
If you enable this policy setting, the "desktop personalization" group will not be synced.
Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled.
@ -292,7 +292,7 @@ If you do not set or disable this setting, syncing of the "desktop personalizati
<!-- Description-Source-ADMX -->
Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "personalize" group will not be synced.
If you enable this policy setting, the "personalize" group will not be synced.
Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled.
@ -354,7 +354,7 @@ If you do not set or disable this setting, syncing of the "personalize" group is
<!-- Description-Source-ADMX -->
Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.
- If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.
If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.
Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled.
@ -416,7 +416,7 @@ If you do not set or disable this setting, "sync your settings" is on by default
<!-- Description-Source-ADMX -->
Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "Start layout" group will not be synced.
If you enable this policy setting, the "Start layout" group will not be synced.
Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled.
@ -478,7 +478,7 @@ If you do not set or disable this setting, syncing of the "Start layout" group i
<!-- Description-Source-ADMX -->
Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings.
- If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection.
If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection.
If you do not set or disable this setting, syncing on metered connections is configurable by the user.
<!-- DisableSyncOnPaidNetwork-Description-End -->
@ -538,7 +538,7 @@ If you do not set or disable this setting, syncing on metered connections is con
<!-- Description-Source-ADMX -->
Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "Other Windows settings" group will not be synced.
If you enable this policy setting, the "Other Windows settings" group will not be synced.
Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled.

8
windows/client-management/mdm/policy-csp-admx-sharedfolders.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_SharedFolders Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -31,7 +31,7 @@ ms.topic: reference
<!-- PublishDfsRoots-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- PublishDfsRoots-Applicability-End -->
<!-- PublishDfsRoots-OmaUri-Begin -->
@ -46,7 +46,7 @@ This policy setting determines whether the user can publish DFS roots in Active
- If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS .
- If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled
- If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled.
> [!NOTE]
> The default is to allow shared folders to be published when this setting is not configured.
@ -109,7 +109,7 @@ This policy setting determines whether the user can publish shared folders in Ac
- If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS.
- If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled
- If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled.
> [!NOTE]
> The default is to allow shared folders to be published when this setting is not configured.

4
windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Po
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -175,6 +175,7 @@ This policy setting only prevents users from running programs that are started b
> [!NOTE]
> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
> [!NOTE]
> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
<!-- DisallowApps-Description-End -->
@ -242,6 +243,7 @@ This policy setting only prevents users from running programs that are started b
> [!NOTE]
> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
> [!NOTE]
> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
<!-- RestrictApps-Description-End -->

12
windows/client-management/mdm/policy-csp-admx-smartcard.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Smartcard Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/23/2023
ms.date: 03/27/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -352,6 +352,7 @@ This policy setting allows you to manage the certificate propagation that occurs
<!-- CertPropRootCleanupString-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the clean up behavior of root certificates.
- If you enable this policy setting then root certificate cleanup will occur according to the option selected.
- If you disable or do not configure this setting then root certificate clean up will occur on log off.
<!-- CertPropRootCleanupString-Description-End -->
@ -413,7 +414,7 @@ This policy setting allows you to manage the root certificate propagation that o
- If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card.
> [!NOTE]
> For this policy setting to work the following policy setting must also be enabled Turn on certificate propagation from smart card.
> For this policy setting to work the following policy setting must also be enabled: Turn on certificate propagation from smart card.
- If you disable this policy setting then root certificates will not be propagated from the smart card.
<!-- CertPropRootEnabledString-Description-End -->
@ -542,6 +543,7 @@ This policy setting allows you to control whether elliptic curve cryptography (E
> [!NOTE]
> This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.
> [!NOTE]
> If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network.
<!-- EnumerateECCCerts-Description-End -->
@ -606,7 +608,7 @@ During the certificate renewal period, a user can have multiple valid logon cert
If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown.
> [!NOTE]
> This setting will be applied after the following policy "Allow time invalid certificates"
> This setting will be applied after the following policy: "Allow time invalid certificates"
- If you enable or do not configure this policy setting, filtering will take place.
@ -794,9 +796,9 @@ This policy setting lets you reverse the subject name from how it is stored in t
By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization.
- If you enable this policy setting or do not configure this setting, then the subject name will be reversed.
If you enable this policy setting or do not configure this setting, then the subject name will be reversed.
If you disable, the subject name will be displayed as it appears in the certificate.
If you disable , the subject name will be displayed as it appears in the certificate.
<!-- ReverseSubject-Description-End -->
<!-- ReverseSubject-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-srmfci.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_srmfci Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -227,7 +227,7 @@ The Classification tab enables users to manually classify files by selecting pro
<!-- EnableShellAccessCheck-Description-Begin -->
<!-- Description-Source-ADMX -->
This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types
This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types.
<!-- EnableShellAccessCheck-Description-End -->
<!-- EnableShellAccessCheck-Editable-Begin -->

37
windows/client-management/mdm/policy-csp-admx-startmenu.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_StartMenu Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 03/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -42,6 +42,7 @@ ms.topic: reference
<!-- AddSearchInternetLinkInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms.
- If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box.
@ -173,6 +174,7 @@ This policy also does not clear items that the user may have pinned to the Jump
<!-- ClearRecentProgForNewUserInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.
- If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.
@ -231,6 +233,7 @@ This policy also does not clear items that the user may have pinned to the Jump
<!-- ClearTilesOnExit-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on.
- If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile.
@ -550,7 +553,7 @@ This setting makes it easier for users to distinguish between programs that are
Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use.
- If you disable this setting or do not configure it, all Start menu shortcuts appear as black text.
If you disable this setting or do not configure it, all Start menu shortcuts appear as black text.
> [!NOTE]
> Enabling this setting can make the Start menu slow to open.
@ -673,7 +676,7 @@ Disables personalized menus.
Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu.
- If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect.
If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect.
> [!NOTE]
> Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting.
@ -868,7 +871,7 @@ The notification area is located in the task bar, generally at the bottom of the
- If you disable this setting, the system notification area will always collapse notifications.
If you do not configure it, the user can choose if they want notifications collapsed.
- If you do not configure it, the user can choose if they want notifications collapsed.
<!-- NoAutoTrayNotify-Description-End -->
<!-- NoAutoTrayNotify-Editable-Begin -->
@ -1115,8 +1118,7 @@ This policy setting prevents users from performing the following commands from t
<!-- Description-Source-ADMX -->
Removes items in the All Users profile from the Programs menu on the Start menu.
By default, the Programs menu contains items from the All Users profile and items from the user's profile.
- If you enable this setting, only items in the user's profile appear in the Programs menu.
By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu.
> [!TIP]
> To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.
@ -1311,6 +1313,7 @@ This policy setting affects the specified user interface elements only. It does
<!-- NoGamesFolderOnStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy the start menu will not show a link to the Games folder.
- If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel.
@ -1499,6 +1502,7 @@ This policy setting does not prevent users from pinning programs to the Start Me
<!-- NoMoreProgramsList-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.
@ -1628,6 +1632,7 @@ Also, see the "Disable programs on Settings menu" and "Disable Control Panel" po
<!-- NoPinnedPrograms-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu.
In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog.
@ -1692,7 +1697,7 @@ Removes the Recent Items menu from the Start menu. Removes the Documents menu fr
The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents.
- If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on.
If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on.
If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu.
@ -1973,6 +1978,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchCommInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy the start menu search box will not search for communications.
- If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel.
@ -2031,6 +2037,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchComputerLinkInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box.
- If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box.
@ -2089,6 +2096,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchEverywhereLinkInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
- If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.
@ -2147,9 +2155,11 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchFilesInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy setting the Start menu search box will not search for files.
- If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel.
- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
<!-- NoSearchFilesInStartMenu-Description-End -->
@ -2206,6 +2216,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchInternetInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy the start menu search box will not search for internet history or favorites.
- If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel.
@ -2264,6 +2275,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchProgramsInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.
- If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel.
@ -2822,6 +2834,7 @@ This policy setting allows you to remove the Downloads link from the Start Menu.
<!-- NoStartMenuHomegroup-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu.
- If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu.
@ -3194,7 +3207,7 @@ Taskbar grouping consolidates similar applications when there is no room on the
- If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled.
If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose.
- If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose.
<!-- NoTaskGrouping-Description-End -->
<!-- NoTaskGrouping-Editable-Begin -->
@ -3447,9 +3460,10 @@ Description: The notification area is located at the far right end of the task b
<!-- NoUninstallFromStart-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this setting, users cannot uninstall apps from Start.
- If you disable this setting or do not configure it, users can access the uninstall command from Start
- If you disable this setting or do not configure it, users can access the uninstall command from Start.
<!-- NoUninstallFromStart-Description-End -->
<!-- NoUninstallFromStart-Editable-Begin -->
@ -3505,6 +3519,7 @@ Description: The notification area is located at the far right end of the task b
<!-- NoUserFolderOnStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this policy the start menu will not show a link to the user's storage folder.
- If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel.
@ -3629,7 +3644,7 @@ This policy setting allows you to remove links and access to Windows Update.
- If you enable this policy setting, users are prevented from connecting to the Windows Update Web site.
Enabling this policy setting blocks user access to the Windows Update Web site at <https://windowsupdate.microsoft.com>. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.
Enabling this policy setting blocks user access to the Windows Update Web site at< https://windowsupdate.microsoft.com>. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.
Windows Update, the online extension of Windows, offers software updates to keep a user's system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download.
@ -3814,6 +3829,7 @@ This policy setting controls whether the QuickLaunch bar is displayed in the Tas
<!-- RemoveUnDockPCButton-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked.
- If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked.
@ -3995,6 +4011,7 @@ This policy setting shows or hides the "Run as different user" command on the St
<!-- ShowRunInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX -->
- If you enable this setting, the Run command is added to the Start menu.
- If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect.
<!-- ShowRunInStartMenu-Description-End -->

Some files were not shown because too many files have changed in this diff Show More