deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' and more updates

Browse Source
This commit is contained in:
ManikaDhiman 2020-07-07 18:56:22 -07:00
commit 9979c8a04a
2 changed files with 240 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
View File

@ -1,6 +1,6 @@
---
title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
description: Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet.
description: Overview of how to enable offline updates using Microsoft Endpoint Configuration Manager.
ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772
ms.reviewer:
manager: dansimp
@ -15,9 +15,9 @@ ms.date: 06/26/2017
# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. There are also situations where network restrictions or other enterprise policies require that devices download updates from an internal location. This article describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
Here is a table of update path to Windows 10 Mobile.
The following table describes the update path to Windows 10 Mobile.
<table>
<colgroup>
@ -47,9 +47,7 @@ Here is a table of update path to Windows 10 Mobile.
</table>
 
To configure the MDM service provider and enable the mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps.
Here is the outline of the process:
To configure the mobile device management (MDM) service provider and enable mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps:
1. Prepare a test device that can connect to the Internet to download the released update packages.
2. After the updates are downloaded and before pressing the install button, retrieve an XML file on the device that contains all the metadata about each update package.
@ -61,64 +59,65 @@ Here is the outline of the process:
8. Create two additional XML files that define the specific updates to download and the specific locations from which to download the updates, and deploy them onto the production device.
9. Start the update process from the devices.
As a part of the update process, Windows will run data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings will automatically get migrated to Windows 10 as part of the update process. If the Handheld device was configured for assigned access lockdown, then this configuration will also get migrated to Windows 10 as part of the update process. This includes ProductId & AumId conversion for all internal apps (including buttonremapping apps).
As a part of the update process, Windows runs data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings are automatically migrated to Windows 10 as part of the update process. If the handheld device was configured for assigned access lockdown, then this configuration is also migrated to Windows 10 as part of the update process. This includes ProductId and AumId conversion for all internal apps (including buttonremapping apps).
Note that the migrators do not take care of the following:
Be aware that the migrators do not take care of the following:
- 3rd party apps provided by OEMs
- deprecated 1st party apps, such as Bing News
- deprecated system/application settings, such as Microsoft.Game, Microsoft.IE
- Third-party apps provided by OEMs.
- Deprecated first-party apps, such as Bing News.
- Deprecated system or application settings, such as Microsoft.Game and Microsoft.IE.
In the event of an Enterprise Reset, these migrated settings are automatically persisted.
Down the road, after the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you would need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
After the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset:
1. Delete the TPK\*ppkg and push down a new ppkg with your new configuration to the persistent folder.
2. Push down a new ppkg with your new configuration with higher priority. Note that in ICD, Owner=Microsoft, Rank=0 is the lowest priority; and vise versa. With this step, the old assigned access lockdown configuration will be overwritten.
2. Push down a new ppkg with your new configuration with higher priority. (Be aware that in ICD, Owner=Microsoft, Rank=0 is the lowest priority, and vice versa. With this step, the old assigned access lockdown configuration is overwritten.)
**Requirements:**
- The test device must be same as the other production devices that are receiving the updates.
- Your test device must be enrolled with Microsoft Endpoint Configuration Manager.
- Your device can connect to the Internet.
- Your device must have an SD card with at least 0.5 GB of free space.
- Ensure that the settings app and PhoneUpdate applet are available via Assigned Access.
- The test device must be enrolled with Microsoft Endpoint Configuration Manager.
- The test device must be connected to the Internet.
- The test device must have an SD card with at least 0.5 GB of free space.
- Ensure that the settings app and PhoneUpdate applet are available through Assigned Access.
The following diagram is a high-level overview of the process.
The following diagram shows a high-level overview of the process.
![update process for windows embedded 8.1 devices](images/windowsembedded-update.png)
## Step 1: Prepare a test device to download updates from Microsoft Update
Define the baseline update set that will be applied to other devices. Use a device that is running the most recent image as the test device.
Define the baseline update set that you want to apply to other devices. Use a device that is running the most recent image as the test device.
Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager.
**Manually**
**Check for updates manually**
1. From the device, go to **Settings** &gt; **Phone updates** &gt; **Check for updates**.
2. Sync the device. Go to **Settings** &gt; **Workplace** &gt; **Enrolled** and click the refresh icon. Repeat as needed.
3. Follow the prompts to download the updates, but do not press the install button.
1. On the device, go to **Settings** > **Phone updates** > **Check for updates**.
2. Sync the device, go to **Settings** > **Workplace** > **Enrolled**, and then select the refresh icon. Repeat as needed.
3. Follow the prompts to download the updates, but do not select the **Install** button.
> **Note**  There is a bug in all OS versions up to GDR2 where the CSP will not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
> [!NOTE]
> There is a bug in all OS versions up to GDR2 where the Cloud Solution Provider (CSP) does not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
**Using Microsoft Endpoint Configuration Manager**
**Check for updates by using Microsoft Endpoint Configuration Manager**
1. Remotely trigger a scan of the test device by deploying a Trigger Scan Configuration Baseline.
1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
![device scan using Configuration Manager](images/windowsembedded-update2.png)
2. Set the value of this OMA-URI by browsing to the settings of this Configuration Item and selecting the newly created Trigger Scan settings from the previous step.
2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
![device scan using Configuration Manager](images/windowsembedded-update3.png)
3. Ensure that the value that is specified for this URI is greater than the value on the device(s) and that the Remediate noncompliant rules when supported option is checked. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
![device scan using Configuration Manager](images/windowsembedded-update4.png)
4. Create a Configuration Baseline for TriggerScan and Deploy. It is recommended that this Configuration Baseline be deployed after the Controlled Updates Baseline has been applied to the device (the corresponding files are deployed on the device through a device sync session).
4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
5. Follow the prompts for downloading the updates, but do not install the updates on the device.
@ -130,23 +129,24 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p
**Pre-GDR1: Parse a compliance log from the device in ConfigMgr**
1. Create a Configuration Item using ConfigMgr to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
1. Use ConfigMgr to create a configuration item to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
> **Note**  In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large.
> [!NOTE]
> In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml, but the process still completes even if the file is large.
If the XML file is greater than 32K you can also use ./Vendor/MSFT/FileSystem/&lt;*filename*&gt;.
2. Set a baseline for this Configuration Item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
If the XML file is greater than 32 KB, you can also use ./Vendor/MSFT/FileSystem/&lt;*filename*&gt;.
2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
The dummy value is not be set; it is only used for comparison.
The dummy value is not set; it is only used for comparison.
3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
4. Parse this log for the report XML content.
For a step-by-step walkthrough, see [How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs).
For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs).
**Post-GDR1: Retrieve the report xml file using an SD card**
1. Create a Configuration Item using ConfigMgr to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
2. The value that you define for this Configuration Item is defined by the relative path to the SD card which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
1. Use ConfigMgr to create a configuration item to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard.
2. The value that you define for this configuration item is defined by the relative path to the SD card, which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml).
3. Remove the SD card from device and copy the XML file to your PC.
## Step 3: Check the status code in the XML file
@ -197,46 +197,49 @@ Here are the two files.
 
For a walkthrough of these steps, [How to deploy controlled updates](#how-to-deploy-controlled-updates). Ensure that the trigger scan configuration baseline HAS NOT been deployed.
For a walkthrough of these steps, see [Deploy controlled updates](#deploy-controlled-updates). Ensure that the Trigger Scan configuration baseline has NOT been deployed.
<a href="" id="deploy-controlled-updates"></a>
### How to deploy controlled updates
This process has three parts:
### Deploy controlled updates
- Create a configuration item for DUControlledUpdates.xml
- Create a configuration item for DUCustomContentURIs.xml
The deployment process has three parts:
- Create a configuration item for DUControlledUpdates.xml.
- Create a configuration item for DUCustomContentURIs.xml.
- Create a configuration item for approved updates.
<a href="" id="create-ducontrolledupdates"></a>
**Create a configuration item for DUControlledUpdates.xml**
1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then click **Select**.
1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
![embedded device update](images/windowsembedded-update18.png)
2. Browse to the DUControlledUpdates.xml that was created from the test device and specify that file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
![embedded device update](images/windowsembedded-update19.png)
3. Check the box **Remediate noncompliant settings**.
4. Click **OK**.
3. Select **Remediate noncompliant settings**, and then select **OK**.
<a href="" id="create-ducustomcontent"></a>
**Create a configuration item for DUCustomContentURIs.xml**
1. Create a configuration item and specify that file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
2. Check the box **Remediate noncompliant settings**.
1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
2. Select **Remediate noncompliant settings**.
![embedded device update](images/windowsembedded-update21.png)
3. Click **OK**.
3. Select **OK**.
<a href="" id="create-config-baseline"></a>
**Create a configuration baseline for approved updates**
1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then click **OK**.
2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
![embedded device update](images/windowsembedded-update22.png)
@ -244,20 +247,20 @@ This process has three parts:
![embedded device update](images/windowsembedded-update23.png)
4. Click **OK**.
4. Select **OK**.
## Step 7: Trigger the other devices to scan, download, and install updates
Now that the other "production" or "in-store" devices have the necessary information to download updates from an internal share, the devices are ready for updates.
### Use this process for unmanaged devices
### Update unmanaged devices
If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways:
- Initiated by a periodic scan that the device automatically performs.
- Initiated manually through **Settings** -&gt; **Phone Update** -&gt; **Check for Updates**.
- A periodic scan that the device automatically performs.
- Manually through **Settings** > **Phone Update** > **Check for Updates**.
### Use this process for managed devices
### Update managed devices
If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
@ -265,12 +268,13 @@ If the update policy of the device is managed or restricted by MDM, an update pr
Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
> **Note**  Ensure that the PhoneUpdateRestriction Policy is set to a value of 0, to ensure that the device will not perform an automatic scan.
> [!NOTE]
> Ensure that the PhoneUpdateRestriction Policy is set to a value of 0 so that the device doesn't perform an automatic scan.
- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager.
After the installation of updates is completed, the IT Admin can use the DUReport generated in the production devices to determine if the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
After the updates are installed, the IT Admin can use the DUReport generated in the production devices to determine whether the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
<a href="" id="example-script"></a>
## Example PowerShell script
@ -456,71 +460,70 @@ DownloadFiles $inputFile $downloadCache $localCacheURL
```
<a href="" id="how-to-retrieve"></a>
## How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs
Use this procedure for pre-GDR1 devices.
## Retrieve a device update report using Microsoft Endpoint Configuration Manager logs
**For pre-GDR1 devices**
Use this procedure for pre-GDR1 devices:
1. Trigger a device scan. Go to **Settings** -&gt; **Phone Update** -&gt; **Check for Updates**.
1. Trigger a device scan by going to **Settings** > **Phone Update** > **Check for Updates**.
Since the DUReport settings have not been remedied, you should see a non-compliance.
2. In Microsoft Endpoint Configuration Manager under **Assets and Compliance** &gt; **Compliance Settings**, right-click on **Configuration Items**.
2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
3. Select **Create Configuration Item**.
![device update using Configuration Manager](images/windowsembedded-update5.png)
4. Enter a filename (such as GetDUReport) and then choose **Mobile Device**.
5. In the **Mobile Device Settings** page, check the box **Configure Additional Settings that are not in the default settings group**, and the click **Next**.
4. Enter a filename (such as GetDUReport), and then select **Mobile Device**.
5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
![device update using Configuration Manager](images/windowsembedded-update6.png)
6. In the **Additional Settings** page, click **Add**.
6. On the **Additional Settings** page, select **Add**.
![device update using Configuration Manager](images/windowsembedded-update7.png)
7. In the **Browse Settings** page, click **Create Setting**.
7. On the **Browse Settings** page, select **Create Setting**.
![device update](images/windowsembedded-update8.png)
8. Enter a unique **Name**. For the **Setting type**, select **OMA-URI** and for the **Data type**, select **String**.
9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, the click **OK**.
8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
![handheld device update](images/windowsembedded-update9.png)
10. In the **Browse Settings** page, click **Close**.
11. In the **Create Configuration Item Wizard** page, check **All Windows Embedded 8.1 Handheld** as the supported platform, and then click **Next**.
10. On the **Browse Settings** page, select **Close**.
11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
![embedded device update](images/windowsembedded-update10.png)
12. Close the **Create Configuration Item Wizard** page.
13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
14. Click the new created mobile device setting (such as DUReport) and then click **Select**.
14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
15. Enter a dummy value (such as zzz) that is different from the one on the device.
![embedded device update](images/windowsembedded-update11.png)
16. Disable remediation by unchecking the **Remediate noncompliant rules when supported** option.
17. Click **OK** to close the Edit Rule page.
18. Create a new configuration baseline. Under **Assets and Compliance** &gt; **Compliance Settings**, right-click on **Configuration Baselines**.
16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
17. Select **OK** to close the **Edit Rule** page.
18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
19. Select **Create Configuration Item**.
![embedded device update](images/windowsembedded-update12.png)
20. Enter a baseline name (such as RetrieveDUReport).
21. Add the configuration item that you just created. Select **Add** and then select the configuration item that you just created (such as DUReport).
21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
![embedded device update](images/windowsembedded-update13.png)
22. Click **OK**, then click **OK** again to complete the configuration baseline.
23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created and the select **Deploy**.
22. Select **OK**, and then select **OK** again to complete the configuration baseline.
23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
![embedded device update](images/windowsembedded-update14.png)
24. Check the check box **Remediate noncompliant rules when supported**.
24. Select **Remediate noncompliant rules when supported**.
25. Select the appropriate device collection and define the schedule.
![device update](images/windowsembedded-update15.png)
26. To view the DUReport content, select the appropriate deployment for the configuration saseline that you created. Right-click on the deployment and select **View Status**.
27. Click **Run Summarization** and then click **Refresh**. On the Non-Compliant tab, the test device(s) should be listed.
26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
![device update](images/windowsembedded-update16.png)
29. In the Non-compliant tab, you will see the DUReport, but you cannot retrieve the content from here.
29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
![device update](images/windowsembedded-update17.png)
30. To retrieve the DUReport, open an Explorer windows to C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz" where zzz is the dummy value. Just above this copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
 

183
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -13,9 +13,6 @@ manager: dansimp
# WindowsDefenderApplicationGuard CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
@ -29,22 +26,43 @@ Root node. Supported operation is Get.
Interior node. Supported operation is Get.
<a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**
Turn on Microsoft Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Turn on Microsoft Defender Application Guard in Enterprise Mode.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
<a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 1 - Allow text copying.
- 2 - Allow image copying.
- 3 - Allow text and image copying.
<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**
This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete
<!--ADMXMapped-->
ADMX Info:
- GP English name: Configure Microsoft Defender Application Guard clipboard settings
- GP name: AppHVSIClipboardFileType
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**
This policy setting allows you to decide how the clipboard behaves while in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard
- 1 - Turns On clipboard operation from an isolated session to the host
- 2 - Turns On clipboard operation from the host to an isolated session
- 3 - Turns On clipboard operation in both the directions
@ -52,15 +70,29 @@ This policy setting allows you to decide how the clipboard behaves while in Appl
> [!IMPORTANT]
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
<a href="" id="printingsettings"></a>**Settings/PrintingSettings**
This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Configure Microsoft Defender Application Guard clipboard settings
- GP name: AppHVSIClipboardSettings
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
<a href="" id="printingsettings"></a>**Settings/PrintingSettings**
This policy setting allows you to decide how the print functionality behaves while in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 - Disables all print functionality (default)
- 1 - Enables only XPS printing
- 2 - Enables only PDF printing
- 3 - Enables both PDF and XPS printing
- 4 - Enables only local printing
- 5 - Enables both local and XPS printing - 6 - Enables both local and PDF printing
- 5 - Enables both local and XPS printing
- 6 - Enables both local and PDF printing
- 7 - Enables local, PDF, and XPS printing
- 8 - Enables only network printing
- 9 - Enables both network and XPS printing
@ -71,23 +103,61 @@ This policy setting allows you to decide how the print functionality behaves whi
- 14 - Enables network, local, and PDF printing
- 15 - Enables all printing
<a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Configure Microsoft Defender Application Guard print settings
- GP name: AppHVSIPrintingSettings
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
<a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
> [!NOTE]
> This policy is no longer supported in the new Microsoft Edge browser.
> This policy setting is no longer supported in the new Microsoft Edge browser.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer
- GP name: BlockNonEnterpriseContent
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
<a href="" id="allowpersistence"></a>**Settings/AllowPersistence**
This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Allow data persistence for Microsoft Defender Application Guard
- GP name: AllowPersistence
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
<a href="" id="allowvirtualgpu"></a>**Settings/AllowVirtualGPU**
Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual graphics processing units (GPUs) to process graphics. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
@ -98,17 +168,40 @@ The following list shows the supported values:
> [!IMPORTANT]
> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
<a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**
Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Allow hardware-accelerated rendering for Microsoft Defender Application Guard
- GP name: AllowVirtualGPU
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
<a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**
Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Allow files to download and save to the host operating system from Microsoft Defender Application Guard
- GP name: SaveFilesToHost
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
<a href="" id="certificatethumbprints"></a>**Settings/CertificateThumbprints**
Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.
Here's an example:
@ -116,25 +209,44 @@ b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda92
If you disable or dont configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device
- GP name: CertificateThumbprints
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
<a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, version 1809. The policy allows you to determine whether applications inside Microsoft Defender Application Guard can access the devices camera and microphone when these settings are enabled on the users device.
Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the devices camera and microphone when these settings are enabled on the users device.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
If you enable this policy, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the users device.
This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
If you disable or don't configure this policy, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the users device.
If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the users device.
If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the users device.
The following list shows the supported values:
- 0 (default) - Microsoft Defender Application Guard cannot access the devices camera and microphone. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the devices camera and microphone.
> [!IMPORTANT]
> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Allow camera and microphone access in Microsoft Defender Application Guard
- GP name: AllowCameraMicrophoneRedirection
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->
<a href="" id="status"></a>**Status**
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device.
Value type is integer. Supported operation is Get.
- Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
- Bit 1 - Set to 1 when the client machine is Hyper-V capable
@ -144,8 +256,10 @@ Returns bitmask that indicates status of Application Guard installation and pre-
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
- Bit 6 - Set to 1 when system reboot is required
<a href="" id="platformstatus"></a>**PlatformStatus**
Returns bitmask that indicates status of Application Guard platform installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
<a href="" id="platformstatus"></a>**PlatformStatus**
Returns bitmask that indicates status of Application Guard platform installation and pre-requisites on the device.
Value type is integer. Supported operation is Get.
- Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
- Bit 1 - Set to 1 when the client machine is Hyper-V capable
@ -154,18 +268,29 @@ Returns bitmask that indicates status of Application Guard platform installation
- Bit 4 - Reserved for MS
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
The following list shows the supported values:
- Install - Will initiate feature install
- Uninstall - Will initiate feature uninstall
<a href="" id="audit"></a>**Audit**
Interior node. Supported operation is Get
Interior node. Supported operation is Get.
<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**
This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
- 0 (default) - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
<!--ADMXMapped-->
ADMX Info:
- GP English name: Allow auditing events in Microsoft Defender Application Guard
- GP name: AuditApplicationGuard
- GP path: Windows Components/Microsoft Defender Application Guard
- GP ADMX file name: AppHVSI.admx
<!--/ADMXMapped-->